Categories
Brand

PixPirate: The Brazilian financial malware you can’t see

الخميس، 21 مارس 2024

PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this malware attacking banks in Brazil.

A hidden threat

Within IBM Trusteer, we saw several different techniques to hide malware from its victims. Most banking malware conceals its existence on the mobile device by hiding its launcher icon from the victim using the SetComponentEnabeldSetting application programming interface (API). However, since Android 10, that technique no longer works due to new restrictions imposed by Google.

To address this new challenge, PixPirate introduced a new technique to hide its icon that we have never seen financial malware use before. Thanks to this new technique, during PixPirate reconnaissance and attack phases, the victim remains oblivious to the malicious operations that this malware performs in the background.

PixPirate abuses the accessibility service to gain RAT capabilities, monitor the victim’s activities and steal the victim’s online banking credentials, credit card details and login information of all targeted accounts. If two-factor authentication (2FA) is needed to complete the fraudulent transaction, the malware can also access, edit and delete the victim’s SMS messages, including any messages the bank sends.

PixPirate uses modern capabilities and poses a serious threat to its victims. Here is a short list of PixPirate’s main malicious capabilities:

  • Manipulating and controlling other applications
  • Keylogging
  • Collecting a list of apps installed on the device
  • Installing and removing apps from the infected device
  • Locking and unlocking device screen
  • Accessing registered phone accounts
  • Accessing contact list and ongoing calls
  • Pinpointing device location
  • Anti-virtual machine (VM) and anti-debug capabilities
  • Persistence after reboot
  • Spreading through WhatsApp
  • Reading, editing and deleting SMS messages
  • Anti-removal and disabling Google Play Protect

Thanks to its RAT capabilities, PixPirate can perform on-device fraud (ODF) and execute the fraud from the victim’s device to avoid detection by the bank’s security and fraud detection systems.

 

Leave your comment
*
*