Android banker PixPirate uses a new cloaking method on victims' devices

Researchers have discovered that the latest version of the PixPirate banking Trojan for Android employs a new method to hide on users’ devices and remain active even if the original dropper application is removed.

PixPirate was first detected by Cleafy TIR experts last year, primarily targeting users in Latin American countries. While Cleafy previously noted that the malware is launched by a separate loader application, the report did not detail PixPirate’s unusual masking methods, which it may not have been using at the time.

In a new IBM report on this malware, it is revealed that PixPirate does not employ the standard tactic of hiding its icon from the user (which works on Android up to version 9). Instead, the banking Trojan does not use an icon at all, allowing it to remain unnoticed even on the latest Android versions (up to 14).

However, not using an icon creates an obvious problem: the victim cannot find and launch the malicious program.

IBM researchers explain that the new versions of PixPirate use two different applications that work together. The first application is a loader, distributed through APK files and phishing messages sent to victims via WhatsApp or SMS.

Android banker PixPirate uses a new cloaking method on victims' devices

During installation, the loader requests dangerous permissions from the user, including Accessibility Services, and then downloads and installs the second droppee application, which is an encrypted PixPirate banker.

In turn, the droppee application does not declare its main activity with the android.intent.action.MAIN and android.intent.category.LAUNCHER parameters in the manifest, so no icon appears on the device’s home screen, making the application nearly invisible.

Instead, the dropper uses a service that other applications can connect to, and the loader connects to it if it wants to start PixPirate. In addition to the dropper, which can launch and control the malware, triggers can include device boot, connection change, or other system events monitored by PixPirate running in the background.

Android banker PixPirate uses a new cloaking method on victims' devices

“Droppee utilizes the exported service com.companian.date.sepherd and contains an intent filter with a custom action com.ticket.stage.Service. When the loader wants to start droppee, it creates and binds this service using the BindService API with the BIN_AUTO_CREATE flag. After the droppee APK service is created and bound, it starts running,” explain the researchers.

Even if the victim deletes the loader application from their device, PixPirate will continue to hide from the user and continue to launch due to various events on the device.

PixPirate got its name due to its focus on the Brazilian instant payment platform Pix. The malware creators aim to redirect victims’ funds to themselves by intercepting or initiating fraudulent Pix transactions. According to IBM, Pix is very popular in Brazil, where it is used by more than 140 million people.

The RAT capabilities of PixPirate allow it to automate the entire fraud process, from intercepting user credentials and two-factor authentication codes to executing unauthorized Pix transactions. Moreover, all this happens in the background, without the users’ knowledge, although it requires permission to use the Accessibility Service.

Additionally, experts note that the malware has a backup manual control mechanism in case the automation fails.

0 / 5

Your page rank:


Subscribe: YouTube page opens in new windowLinkedin page opens in new windowTelegram page opens in new window

Leave a Reply

Your email address will not be published. Required fields are marked *

Post comment