A sophisticated Brazilian banking Trojan uses a novel method to hide its presence on Android devices. A multi-tooled Trojan cuts apart Brazil's premier wire transfer app. Could similar malware do the same to Venmo, Zelle, or PayPal?
"PixPirate" is multipronged malware specially crafted to exploit Pix, an app for making bank transfers developed by the Central Bank of Brazil. Pix makes a good target for Brazil-nexus cybercriminals since, despite being hardly three years old, it is already integrated into most Brazilian banks' online platforms and has more than 150 million users, according to Statista. Each month, it processes somewhere in the range of 3 billion transactions, totaling around $250 billion worth of Brazilian real.
PixPirate's newest powerful trick, documented in a new blog post from IBM, is how it cleverly hides its presence on an Android device—no app icon, seemingly no footprint whatsoever—despite protections designed by Google engineers to prevent this specific thing from happening. Experts warn that banking malware targeting the US and EU could employ a similar tactic.
It typically spreads via a fake bank authentication app, sent to potential victims using WhatsApp or SMS. Clicking the link downloads a downloader, prompting the user to download further an "updated" version of the fake app (the PixPirate payload). "From the victim's perspective, they are unaware of the PixPirate malware being installed by the downloader because, in their eyes, the downloader is legitimate. So, they are unlikely to suspect anything suspicious," explains Nir Somech, security mobile researcher at IBM Trusteer.
Once comfortably embedded in an Android phone, the malware waits until a user opens a real banking app. At that point, it springs into action, grabbing the login credentials they type in and sending them to an attacker-controlled command-and-control (C2) server. With account access, it overlays a false second screen to the user. At the same time, it opens the banking app underneath, programmatically presses the buttons necessary to reach its Pix page, and then executes an unauthorized transfer.
PixPirate also features dozens of other capabilities to ease this financial fraud, including pinpointing the device's location, keylogging, locking and unlocking its screen, accessing contacts and call histories, installing and deleting apps, persistence after reboots, and more.
Defic apps have traditionally concealed their presence on compromised devices by hiding their home screen icons. As of Android 10, however, this became impossible. Recently, all app icons must be visible and saved for system apps or those that do not seek permission from the user. Like every cybersecurity advancement before it, this positive change also served as a creative constraint. "It enabled threat actors to adapt, which is what we're seeing with this new mechanism, where the icon doesn't need concealing because it simply doesn't exist," says Somech. By "doesn't exist," he means that PixPirate has no main activity on the device or launcher. How does an app without a launcher launch? The key is that, instead of the payload, the downloader is the app that runs on the device. When it wants to, it launches the payload by creating and binding to an exported service capable of running it. Then, the two continue communicating, passing on malicious commands.
For persistence, after the downloader triggers it the first time, the payload service also binds to other "receivers," which are activated when certain other events trigger on the device. According to IBM Trusteer, this is the first financial malware to use this method for running without an app icon.
A Google spokesperson noted: "Based on our current detections, no apps containing this malware are found on Google Play. Android users are automatically protected against known versions of this malware by Google Play Protect, which is on Android devices by default with Google Play Services. Google Play Protect can warn users or block apps that exhibit malicious behavior, even when those apps come from sources outside of Play."
For anyone worried that PixPirate might portend a threat to US banks and banking apps such as Venmo, Zelle, and PayPalthere is both good and bad news. The good news is that the malware is bespoke. "PixPirate exploits specific functionalities and vulnerabilities within the Pix payment system, which may not directly apply to US payment apps with differing architectures and security mechanisms," explains Sarah Jones, cyber threat intelligence research analyst at Critical Start. "Even if core functionalities could be adapted, the malware's reliance on abusing accessibility services might require modifications to align with different accessibility implementations used by US apps."
She warns, "While a replica may face obstacles, the underlying techniques employed by PixPirate pose concerns for US payment systems. The concept of abusing accessibility services for malicious purposes could inspire attackers to target other vulnerable functionalities in US apps. While the direct threat of PixPirate to US payment systems may be limited, its emergence underscores the importance of proactive security measures in safeguarding sensitive financial information."
This article is presented at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com
Reporting: https://www.redskyalliance.org/
Website: https://www.redskyalliance.com/
LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5993554863383553632
Comments