A new Android banking trojan has set its eyes on Brazilian financial institutions to commit fraud by leveraging the PIX payments platform.
Italian cybersecurity company Cleafy, which discovered the malware between the end of 2022 and the beginning of 2023, is tracking it under the name PixPirate.
“PixPirate belongs to the newest generation of Android banking trojan, as it can perform ATS (Automatic Transfer System), enabling attackers to automate the insertion of a malicious money transfer over the Instant Payment platform Pix, adopted by multiple Brazilian banks,” researchers Francesco Iubatti and Alessandro Strino said.
It is also the latest addition in a long list of Android banking malware to abuse the operating system’s accessibility services API to carry out its nefarious functions, including disabling Google Play Protect, intercepting SMS messages, preventing uninstallation, and serving rogue ads via push notifications.
Besides stealing passwords entered by users on banking apps, the threat actors behind the operation have leveraged code obfuscation and encryption using a framework known as Auto.js to resist reverse engineering efforts.