[MART] - Daily Diary #358 - PixStealer, A New Android Banking Trojan Targeting Brazil PIX's Payment System

CTAS-MAT ctas-mat at appgate.com
Wed Sep 29 21:07:03 UTC 2021


I hope everyone is doing well!

Below is the entry for today.

09/29/2021 - Diary entry #358:

Recently, a new malicious Android application was discovered targeting users of Brazil's PIX, an instant payment system. PIX allows any citizen with a bank account to instantly transfer money from any account in any banking institution to another at any time of the day. This threat, named PixStealer, has been distributed via Google Store disguised as a financial cashback application related to a Brazilian bank called PagBank. Its source code shares several resemblances with another threat called MalRhino.

PixStealer is a lightweight malware that doesn’t have any classic banker capabilities, such as stealing credentials and communicating with a C&C. So, it's not capable of updating itself, nor uploading any stolen data. PixStealer's main goal is to transfer money to an account held by the threat actors.

Once the malware is installed and launched, it lures the victim into enabling the accessibility permission in order to "activate" the cashback functionality. By enabling accessibility, it grants PixStealer the ability to perform any action a user can do on an Android device. Next, the malware shows a message to open the PagBank application for synchronization, as part of its social engineering and technique to remain undetectable. After the victim opens and signs in to the bank account, the malware shows a fake overlay screen asking the victim to wait for the synchronization to finish, while the malware transfers the victim's money - via the PIX instant payment system - to the threat actor account.

PixStealer is a single-purposed small malware that requires minimum permissions to run, so this is an advantage as it achieves a very important goal to stay undetectable. To defend from threats like PixStealer, it is important to always pay attention to dangerous and unnecessary permissions an app is requesting, especially accessibility.

Kind Regards,


[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>

Felipe Tarijon de Almeida
Malware Analyst

E: felipe.tarijon at appgate.com<mailto:felipe.tarijon at appgate.com>
O: +55 11 97467 9549

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.immunityinc.com/pipermail/mart/attachments/20210929/36d0407c/attachment.htm>

More information about the MART mailing list