A newly identified Android banking trojan capable of hijacking Brazil's instant payment transfers, targeting one of the country's most widely used financial systems, has been uncovered by security researchers.
The malware, known as PixRevolution, silently monitors victims' smartphones and redirects funds during PIX transactions, according to a new analysis from mobile security firm Zimperium.
Brazil's PIX platform, introduced in 2020 by the Central Bank of Brazil, allows instant payments that settle within seconds. The system has transformed the country's financial landscape, with more than 76% of Brazilians using it and over three billion transactions processed each month.
The researchers said PixRevolution exploits the speed and irreversibility of those transfers. Once a PIX payment is completed it cannot be reversed, making it an attractive target for financial cybercrime.
Real-Time Payment Hijacking
The trojan remains hidden on a victim's device until a PIX transaction is initiated. When a user enters the recipient's payment key and confirms the transfer, the malware briefly displays a loading screen reading "Aguarde…", Portuguese for "please wait."
Behind the scenes, however, the malware replaces the recipient's key with one controlled by attackers. The transaction completes as normal, leaving the victim unaware that the funds were redirected.
Unlike many banking trojans that rely on automated scripts, PixRevolution uses what researchers called an "agent-in-the-loop" model. A remote operator watches the victim's phone screen in near real time and intervenes at the exact moment a payment is processed.
Zimperium said the malware relies on several coordinated techniques:
-
Continuous monitoring through Android accessibility permissions
-
Live screen streaming to an attacker-controlled command server
-
Keyword detection to identify financial transactions
-
A fake loading overlay that hides the moment payment details are replaced
The entire manipulation takes only seconds and leaves little indication that anything unusual occurred.
Fake Apps Used to Spread Malware
Zimperium warned that the campaign spreads through fraudulent download pages designed to resemble the official Google Play store. These sites imitate real app listings, complete with descriptions, ratings and installation buttons. Instead of redirecting to the genuine store, the button downloads a malicious Android file.
Researchers identified multiple samples impersonating well-known Brazilian services, including travel platforms, postal services, investment apps and antivirus software.
After installation, users are prompted to enable an accessibility service called "Revolution." The onboarding page claims the permission is required to activate app features and reassures users that no personal information is collected.
Once granted, however, the trojan gains extensive access to the device, including the ability to read screen content and simulate taps.
With more than 150 million PIX users in Brazil and billions of monthly transactions, researchers warn that even a small success rate for attacks like PixRevolution could lead to significant financial losses.