Novel Banking Trojan 'PixPirate' Targets Brazil

Written by

A new Android banking Trojan dubbed "PixPirate" has been spotted targeting financial institutions in Brazil between the end of 2022 and the beginning of this year.

The findings come from security experts at Cleafy, who described the new threat in an advisory published on Friday.

"PixPirate belongs to the newest generation of Android banking trojan, as it can perform ATS (automatic transfer system), enabling attackers to automate the insertion of a malicious money transfer over the Instant Payment platform Pix, adopted by multiple Brazilian banks," reads the technical write-up.

According to Cleafy security researchers Francesco Lubatti and Alessandro Strino, the primary goal of this malware was to steal sensitive information and perpetrate fraud attempts on Pix users.

"PixPirate is usually delivered using a dropper application, used to download (or in some cases just to unpack) and install the banking trojan," reads the advisory.

"During its installation, PixPirate immediately tries to enable Accessibility Services that keep being requested persistently with fake pop-ups until the victim accepts."

After these permissions are given, the threat actors were observed using PixPirate to write scripts that could interact with the device's UI and perform actions like entering text, simulating touch events and scrolling through lists, among others.

"After inspecting PixPirate code, we identified a few references related to a framework called Auto.js. This is an open-source tool for automating tasks on Android devices using JavaScript," Lubatti and Strino wrote.

"Auto.js also provides a built-in JavaScript interpreter, which allows scripts to run on the device itself without the need for an external runtime." 

The researchers further explained that Auto.js represents a new framework for mobile banking Trojans that allows malicious actors to speed up the development phase via JavaScript automation scripts, web communication management features within the application and built-in code encryption/obfuscation capabilities.

"The introduction of ATS capabilities paired with frameworks that will help the development of mobile applications, using flexible and more widespread languages [...], could lead to more sophisticated malware that, in the future, could be compared with their workstation counterparts."

The Cleafy advisory comes a couple of months after Flashpoint suggested Brazil was in third place in the list of countries with the most data breaches in 2022.

What’s hot on Infosecurity Magazine?