A new Android banking Trojan has targeted the PIX payment platform to defraud Brazilian financial institutions.
Italian cybersecurity company Clafy, which discovered the malware in late 2022 and early 2023, is tracking it under the name PixPirate.
“PixPirate belongs to the latest generation of Android banking Trojans. ATS (Automatic transport system), attackers can automate the insertion of malicious remittances via Pix, an instant payment platform employed by multiple Brazilian banks,” said researchers Francesco Iubatti and Alessandro Strino. Said.
It also abuses the operating system’s Accessibility Services APIs to perform malicious functions such as disabling Google Play Protect, intercepting SMS messages, preventing uninstalls, serving deceptive advertisements via push notifications, etc. A new addition to the long list of banking malware.
In addition to stealing user-entered passwords in banking apps, the attackers behind the attacks leveraged code obfuscation and encryption using a framework called Auto.js to facilitate reverse engineering efforts. resisting.
Dropper apps used to deliver PixPirate fall under the category of authenticator apps. There is no indication that the app has been published to the official Google Play store.
The findings come more than a month after ThreatFabric revealed details of another malware called BrasDex, which in addition to abusing PIX to make fraudulent money transfers also has ATS capabilities.
“By introducing ATS features in combination with frameworks, we can use a flexible and broader language (shortening the learning curve and development time) to help develop mobile applications, resulting in more sophisticated malware. In the future, it is the corresponding workstation, ”said the researchers.
Cyble has targeted users in Thailand, Peru, and the Philippines since at least July 2022, shedding light on a new Android remote access Trojan codenamed Gigabud RAT, masquerading as banking and government apps.
“RATs have advanced capabilities such as screen recording and exploiting accessibility services to steal banking credentials,” said the researchers. Saidnote the use of phishing sites as a distribution vector.
Cybersecurity companies are further clearly The threat actor behind the InTheBox darknet marketplace touting a catalog of 1,894 web injects compatible with various Android banking malware such as Alien, Cerberus, ERMAC, Hydra and Octo.
Primarily used for collecting credentials and sensitive data, the web-inject module is designed to identify banking, mobile payment services, cryptocurrency exchanges, and mobile e-commerce applications across Asia, Europe, the Middle East, and the Americas. It has been.
But more worryingly, rogue apps find ways to bypass the defenses of the Apple App Store and Google Play to carry out what is known as a pig slaughter scam called CryptoRom.
This technique involves employing social engineering techniques, such as approaching victims through dating apps such as Tinder and tricking them into downloading fraudulent investment apps with the intent of stealing their money.
The malicious iOS apps in question are Ace Pro and MBM_BitScan, both of which have since been removed by Apple. His Android version of MBM_BitScan has also been removed by Google.
The cybersecurity firm Sophos, which made the discovery, says iOS apps have “review evasion techniques” that allow malware authors to get past the review process.
“Both apps we discovered used remote content to provide malicious functionality. The content was hidden until App Store review was complete,” Sophos researchers said. Jagadeesh Chandraiah says Said.
The pig slaughter scam started in China and Taiwan and has spread globally in recent years. huge amount of manipulation Implemented from special economic zones in Laos, Myanmar and Cambodia.
In November 2022, the U.S. Department of Justice (DoJ) announced the removal of seven domain names related to a pig slaughter cryptocurrency scam that brought criminals more than $10 million from five victims.