A new Android banking Trojan uses the PIX payment platform to trick Brazilian financial institutions into fraudulent activities.
Italian cybersecurity company Clafy, which discovered the malware in late 2022 and early 2023, is tracking it under the name PixPirate.
“PixPirate belongs to the latest generation of Android banking Trojans and is capable of running ATS (Automatic Transfer System), allowing attackers to send malicious money transfers via Pix, an instant payment platform employed by several Brazilian banks. can be automated,” said researcher Francesco. Ibatti and Alessandro Strino said.
Android also abuses the operating system’s Accessibility Services APIs to perform malicious functions such as disabling Google Play Protect, intercepting SMS messages, preventing uninstalls, and serving deceptive ads via push notifications. A new addition to the long list of banking malware.
In addition to stealing user-entered passwords in banking apps, the attackers behind the attacks leveraged code obfuscation and encryption using a framework called Auto.js to facilitate reverse engineering efforts. resisting.
Dropper apps used to deliver PixPirate fall under the category of authenticator apps. There is no indication that the app has been published to the official Google Play store.
The findings come more than a month after ThreatFabric revealed details of another malware called BrasDex, which in addition to abusing PIX to make fraudulent money transfers also has ATS capabilities.
“By introducing ATS features in combination with frameworks, we can use a flexible and broader language (shortening the learning curve and development time) to help develop mobile applications, resulting in more sophisticated malware. , and in the future, the corresponding workstation, ”said the researchers.
Cyble has revealed a new Android remote access Trojan, codenamed Gigabud RAT, that has targeted users in Thailand, Peru, and the Philippines since at least July 2022, masquerading as banking and government apps.
“RATs have advanced capabilities such as screen recording and exploiting accessibility services to steal banking credentials,” said the researchers, noting the use of phishing sites as a distribution vector. .
The cybersecurity firm also advertised a catalog of 1,894 webinjects compatible with various Android banking malware, including Alien, Cerberus, ERMAC, Hydra, and Octo, by actors behind the InTheBox darknet marketplace. I made it clear that
Primarily used for collecting credentials and sensitive data, the web-inject module is designed to identify banking, mobile payment services, cryptocurrency exchanges, and mobile e-commerce applications across Asia, Europe, the Middle East, and the Americas. It has been.
But what’s more concerning is that rogue apps find ways to bypass the defenses of the Apple App Store and Google Play to carry out what is known as a pig slaughter scam called CryptoRom.
This technique involves employing social engineering techniques, such as approaching victims through dating apps such as Tinder and tricking them into downloading fraudulent investment apps with the intent of stealing their money.
The malicious iOS apps in question are Ace Pro and MBM_BitScan, both of which have since been removed by Apple. His Android version of MBM_BitScan has also been removed by Google.
The cybersecurity firm Sophos, which made the discovery, says iOS apps have “review evasion techniques” that allow malware authors to get past the review process.
Sophos researcher Jagadeesh Chandraiah said:
The pig slaughter scam began in China and Taiwan and has spread globally in recent years, with mass operations coming out of special economic zones in Laos, Myanmar and Cambodia.
In November 2022, the U.S. Department of Justice (DoJ) announced the removal of seven domain names related to a pig slaughter cryptocurrency scam that brought criminals more than $10 million from five victims.
