The malevolent entities orchestrating the PixPirate Android banking trojan have deployed a fresh stratagem to elude detection on compromised devices, clandestinely extracting sensitive information from users in Brazil.
This innovative approach enables the concealing of the malicious app’s icon from the home screen of the victim’s device, as disclosed in a technical report by IBM today.
“In virtue of this newfound technique, the victim, during the PixPirate reconnaissance and assault phases, remains blissfully unaware of the nefarious operations executed in the background by this malware,” elucidated security researcher Nir Somech.
PixPirate, initially unveiled by Cleafy in February 2023, has gained notoriety for exploiting Android’s accessibility services to surreptitiously orchestrate unauthorized fund transfers using the PIX instant payment platform upon activation of a targeted banking app.
This shape-shifting malware also possesses the capability to filch victims’ online banking credentials and credit card details, alongside capturing keystrokes and intercepting SMS messages to gain access to two-factor authentication codes.
Cybersecurity Maneuvers
Traditionally disseminated through SMS and WhatsApp channels, the attack trajectory involves deploying a dropper (also known as a downloader) app engineered to dispense the main payload (referred to as droppee) to perpetrate financial fraud.
“Ordinarily, the downloader is tasked with downloading and installing the droppee, at which point the droppee assumes the central role in executing all fraudulent activities, rendering the downloader inconsequential,” expounded Somech.
“In PixPirate’s case, the downloader not only downloads and installs the droppee but also actively runs and executes it. The downloader actively participates in the malicious activities of the droppee, engaging in communication and issuing commands for execution.”
Upon initiation, the downloader APK app prompts the victim to update the app, either retrieving the PixPirate component from a server controlled by the threat actors or installing it if embedded within itself.
Android Banking Trojan
The recent alteration in the droppee’s latest version involves the omission of activity related to “android.intent.action.Main” and the category “android.intent.category.LAUNCHER,” permitting a user to launch an app from the home screen by tapping its icon.
In simpler terms, the infection chain necessitates both the downloader and the droppee to collaborate, with the former responsible for executing the PixPirate APK by binding to a service exported by the droppee.
“To sustain persistence, the droppee is subsequently triggered to run by different receivers it has registered. These receivers are set to activate based on various system events, not necessarily triggered by the downloader that initially instigated the droppee to run.”
“This technique empowers the PixPirate droppee to operate covertly and conceal its presence, even if the victim removes the PixPirate downloader from their device.”
Cybersecurity Developments
This development arises amidst Latin American (LATAM) banks encountering a new malware named Fakext, utilizing a rogue Microsoft Edge extension named SATiD to perpetrate man-in-the-browser and web injection attacks. The objective is to pilfer credentials entered on the targeted bank site.
It is noteworthy that SAT ID is a service offered by Mexico’s Tax Administration Service (SAT) for generating and updating electronic signatures for online tax filing.
In specific instances, Fakext is designed to exhibit an overlay, coercing the victim to download a purportedly legitimate remote access tool by masquerading as the bank’s IT support team, ultimately facilitating the threat actors in committing financial fraud.
This campaign, operational since at least November 2023, singles out 14 banks in the region, with a majority situated in Mexico. The extension has since been removed from the Edge Add-ons store.
