'PixPirate' RAT Invisibly Triggers Wire Transfers From Android Devices

A sophisticated Brazilian banking Trojan is using a novel method for hiding its presence on Android devices.

"PixPirate" is a multipronged malware specially crafted to exploit Pix, an app for making bank transfers developed by the Central Bank of Brazil. Pix makes a good target for Brazil-nexus cybercriminals since, despite being hardly 3 years old, it's already integrated into most Brazilian banks' online platforms and sports more than 150 million users according to Statista. Each month, it processes somewhere in the range of 3 billion transactions, totaling around $250 billion worth of Brazilian real.

PixPirate's newest powerful trick, documented in a new blog post from IBM, is how it cleverly hides its presence on an Android device — no app icon, seemingly no footprint whatsoever — despite protections which Google engineers designed to prevent this specific thing from happening. And experts warn that a similar tactic could be employed by banking malware targeting the US and EU, as well.

How PixPirate Infections Work

PixPirate is a cutting-edge heir to the banking Trojans of yesteryear.

It typically spreads via a fake bank authentication app, sent to potential victims using WhatsApp or SMS. Clicking the link downloads a downloader, which then prompts the user to further download an "updated" version of the fake app (which is the PixPirate payload).

"From the victim's perspective, they are unaware of the PixPirate malware being installed by the downloader because in their eyes the downloader is legitimate. So, they are unlikely to suspect anything suspicious," explains Nir Somech, security mobile researcher at IBM Trusteer.

Once comfortably embedded in an Android phone, the malware sits and waits until a user opens up a real banking app. At that point, it springs into action, grabbing the login credentials they type in and sending them to an attacker-controlled command-and-control (C2) server. With account access in hand, it overlays a false second screen to the user, while it opens the banking app underneath, programmatically presses the buttons necessary to reach its Pix page, then executes an unauthorized transfer.

PixPirate also features dozens of other capabilities to ease this financial fraud, from pinpointing the device's location to keylogging, locking and unlocking its screen, accessing contacts and call histories, installing and deleting apps, persistence after reboots, and more.

However, its newest, most advanced feature lies in how it hides all evidence of itself from the user.

How PixPirate Hides Itself on an Android

Traditionally, malicious apps have concealed their presence on compromised devices by simply hiding their home screen icons.

As of Android 10, however, this became impossible. Nowadays, all app icons must be visible, save for system apps, or those that don't seek permissions from the user.

Like every cybersecurity advancement before it, this positive change also served as a creative constraint. "It enabled threat actors to adapt, which is what we're seeing with this new mechanism, where the icon doesn't need concealing because it simply doesn't exist," says Somech.

By "doesn't exist," he means that PixPirate has no main activity on the device — no launcher to begin with. How, then, does an app without a launcher launch?

The key is that, instead of the payload, the downloader is effectively the app that runs on the device. When it wants to, it launches the payload by creating and binding to an exported service capable of running it. Then the two continue to communicate, and they pass on malicious commands.

For persistence, after the first time it's triggered by the downloader, the payload service also binds to other "receivers," which are activated when certain other events trigger on the device.

According to IBM Trusteer, this is the first financial malware to ever use this method for running without an app icon.

In a statement to Dark Reading, a Google spokesperson noted: "Based on our current detections, no apps containing this malware are found on Google Play. Android users are automatically protected against known versions of this malware by Google Play Protect, which is on by default on Android devices with Google Play Services. Google Play Protect can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Play."

Are US Payment Apps Vulnerable?

For anyone worried that PixPirate might portend a threat to US banks and banking apps — such as Venmo, Zelle, and PayPal — there is both good and bad news.

The good news is that the malware is bespoke. "PixPirate exploits specific functionalities and vulnerabilities within the Pix payment system, which may not directly apply to US payment apps with differing architectures and security mechanisms," explains Sarah Jones, cyber threat intelligence research analyst at Critical Start. "Even if core functionalities could be adapted, the malware's reliance on abusing accessibility services might require modifications to align with different accessibility implementations used by US apps."

However, she warns, "While an exact replica may face obstacles, the underlying techniques employed by PixPirate pose concerns for US payment systems. The concept of abusing accessibility services for malicious purposes could inspire attackers to target other vulnerable functionalities in US apps."

"Thus," she concludes, "while the direct threat of PixPirate to US payment systems may be limited, its emergence underscores the importance of proactive security measures in safeguarding sensitive financial information."

Story updated on March 14 with a statement from Google.