The coronavirus pandemic accelerated digitization across the banking industry. Banks developed and implemented new tools, infrastructure, protocols and policies. One of the most successful examples of such initiatives is known as Pix, an instant payments solution launched by the Central Bank of Brazil. Although Pix only came about in November of 2020, the solution has already reached 40 million transactions a day. This translates to the movement of roughly $4.7 billion per week. 

However, as the technology evolves, cyber attacks also evolve. Increased use of online banking services has resulted in new forms of financially focused cyber attacks. Check Point Research has recently uncovered a new wave of malicious Android applications targeting the Pix payment system and Brazilian bank applications. These malicious apps, once distributed on the Google Play Store, appear to be related to an unclassified family of banking Trojans outfitted with a new arsenal of forms and functions. 

The PixStealer malware

One of the versions identified by Check Point research contains a never-before-seen functionality, which enables the malware to steal victims’ financial resources using Pix transactions. On account of the unique functionality and implementation, researchers dubbed this version “PixStealer.”

PixStealer is considered a minimalistic malware. It does not execute on any traditional banking malware activities. In contrast, PixStealer’s “big brother” known as MalRhino contains a variety of advanced components and leverages open-source Rhino JavaScript Engine to process Accessibility events. 

Technical details…

The internal name of the PixStealer malware is “Pag Cashback 1.4.” It was first distributed on Google Play as a fake PagBank Cashback service and only targeted the Brazilian PagBank.

The package name com.pagcashback.beta shows that developers may perceive the app as in the beta stage.

PixStealer relies on a “less is more” technique: as a very small application with limited permissions and no connection to a C&C, it has only one function: transfer all of the victim’s funds to an actor-controlled account.

With this approach, the malware cannot update itself by communicating with a C&C, or steal and upload any information about the victims, but achieves the very important goal: to stay undetectable.

As with many of the banking Trojans that have emerged across the past few years (Evenbot, Gustaff, Medusa and others), PixStealer relies on Android’s Accessibility Service. This service assists users with disabilities as they operate Android devices and apps. However, victims who end up in the banking malware trap and who enable this service accidentally deploy a malicious script. All of a sudden, anything that the user accesses and any actions that the user takes can be captured by the malware.

In summary

Get a full technical analysis of PixStealer and other new malware variants. Understand the innovative techniques that the user to avoid detection, maximize the threat actor’s gain, and abuse very specific digital banking features, such as the Pix system. Click here for insights.

For more information about banking sector threats, see our whitepapers or Cyber Talk’s past coverage. Lastly, to receive executive-level cyber security insights, cutting-edge analysis, and robust resources in your inbox each week, sign up for the Cyber Talk newsletter.