PixPirate Android malware uses new tactic to hide on phones

PixPirate Android malware uses new tactic to hide on phones

March 13, 2024 at 02:19PM

The latest PixPirate banking trojan for Android conceals itself on phones even after its dropper app is removed. It avoids using a launcher icon and is designed to remain hidden on recent Android versions. Employing two apps, it steals information and targets the Brazilian instant payment platform Pix to initiate fraudulent transactions. IBM Trusteer researchers have highlighted its alarming new strategy.

Key Takeaways from the Meeting Notes:

1. PixPirate banking trojan for Android has evolved to remain hidden and active on phones, even after the removal of its dropper app, by utilizing new methods for hiding and persistence.

2. The malware operates by using two different apps that collaborate to steal information from devices. The first app, known as a ‘downloader,’ installs the second app, named ‘droppee,’ which contains the encrypted PixPirate banking malware.

3. The ‘droppee’ app remains completely invisible on the home screen by not declaring a main activity with an icon. Instead, it exports a service that the downloader app connects to in order to trigger the launch of the PixPirate malware.

4. Even if the victim removes the downloader app, PixPirate can continue to launch based on different device events and remain hidden from the user.

5. The malware targets the Brazilian instant payment platform Pix, aiming to divert funds to attackers by intercepting or initiating fraudulent transactions. It is capable of automating the entire fraud process, from capturing user credentials and two-factor authentication codes to executing unauthorized Pix money transfers in the background.

6. PixPirate also possesses the capability to disable Google Play Protect, uses push notification malvertising, and employs a fallback manual control mechanism for on-device fraud.

7. Reports have been made to Google regarding the malware’s tactics, and updates on any measures to block these tactics are pending.

These takeaways provide a comprehensive understanding of the PixPirate banking trojan’s advanced methods and potential impacts on device security and financial transactions.

Full Article