Researchers have discovered that the latest version of the PixPirate banking Trojan for Android uses a new method that allows malware to hide on users devices and remain active even if the original dropper app has been removed.
PixPirate was first discovered by Cleafy TIR experts last year, and then experts wrote that the malware mainly attacks users from Latin America. Although even then Cleafy noted that the malware is launched by a separate downloader application, the experts ' report did not consider unusual methods of masking PixPirate, or the malware did not use them yet.
In a new IBM report on this malware, it says that PixPirate does not use the standard tactic in which malware tries to hide its icon from the user (this works in Android up to version 9). Instead, the banker does not use the icon at all, which allows it to remain unnoticed even on the latest versions of Android (up to the 14th).
However, refusing to use the icon creates an obvious problem: the victim can't find and run the malware.
IBM researchers explain that the new versions of PixPirate use two different applications that work together. The first app is a downloader, distributed through APKs and phishing messages sent to victims via WhatsApp or SMS.
During installation, the bootloader asks the user for access to dangerous permissions, including Accessibility Services, and then downloads and installs a second dropper application (droppee), which is an encrypted PixPirate banker.
In turn, the droppee app does not declare its main activity in the manifest with the android.intent.action.MAIN and android.intent.category.LAUNCHER parameters, so no icon appears on the device's home screen, and the app becomes almost invisible.
Instead, the dropper uses a service that other apps can connect to, and which the downloader connects to if it wants to run PixPirate. In addition to the dropper, which is able to launch and monitor malware, triggers can be device loading, connection changes, or other system events that PixPirate monitors in the background.
"Droppee uses the exported com.companian.date.sepherd service and contains an intent filter with a custom com.ticket.stage action.Service. When the loader wants to start droppee, it creates and binds this service using the bindService API with the BIN_AUTO_CREATE flag. After creating and linking the droppee service, the APK starts up and starts working, " the researchers explain.
Thus, even if the victim deletes the downloader app from their device, PixPirate will continue to hide from the user and continue to run due to various events on the device.
PixPirate got its name due to its focus on the Brazilian instant payment platform Pix. So, the creators of malware seek to redirect victims funds to themselves, by intercepting or initiating fraudulent transactions. According to IBM, Pix is very popular in Brazil, where it is used by more than 140 million people.
PixPirate's RAT capabilities allow it to automate the entire fraud process, from intercepting user credentials and two-factor authentication codes, to executing unauthorized Pix transactions. And all this happens in the background, without the users knowledge, although it requires permission to use the Accessibility Service.
In addition, experts note that Malvari has a backup mechanism for manual control in case automation does not work.
PixPirate was first discovered by Cleafy TIR experts last year, and then experts wrote that the malware mainly attacks users from Latin America. Although even then Cleafy noted that the malware is launched by a separate downloader application, the experts ' report did not consider unusual methods of masking PixPirate, or the malware did not use them yet.
In a new IBM report on this malware, it says that PixPirate does not use the standard tactic in which malware tries to hide its icon from the user (this works in Android up to version 9). Instead, the banker does not use the icon at all, which allows it to remain unnoticed even on the latest versions of Android (up to the 14th).
However, refusing to use the icon creates an obvious problem: the victim can't find and run the malware.
IBM researchers explain that the new versions of PixPirate use two different applications that work together. The first app is a downloader, distributed through APKs and phishing messages sent to victims via WhatsApp or SMS.
During installation, the bootloader asks the user for access to dangerous permissions, including Accessibility Services, and then downloads and installs a second dropper application (droppee), which is an encrypted PixPirate banker.
In turn, the droppee app does not declare its main activity in the manifest with the android.intent.action.MAIN and android.intent.category.LAUNCHER parameters, so no icon appears on the device's home screen, and the app becomes almost invisible.
Instead, the dropper uses a service that other apps can connect to, and which the downloader connects to if it wants to run PixPirate. In addition to the dropper, which is able to launch and monitor malware, triggers can be device loading, connection changes, or other system events that PixPirate monitors in the background.
"Droppee uses the exported com.companian.date.sepherd service and contains an intent filter with a custom com.ticket.stage action.Service. When the loader wants to start droppee, it creates and binds this service using the bindService API with the BIN_AUTO_CREATE flag. After creating and linking the droppee service, the APK starts up and starts working, " the researchers explain.
Thus, even if the victim deletes the downloader app from their device, PixPirate will continue to hide from the user and continue to run due to various events on the device.
PixPirate got its name due to its focus on the Brazilian instant payment platform Pix. So, the creators of malware seek to redirect victims funds to themselves, by intercepting or initiating fraudulent transactions. According to IBM, Pix is very popular in Brazil, where it is used by more than 140 million people.
PixPirate's RAT capabilities allow it to automate the entire fraud process, from intercepting user credentials and two-factor authentication codes, to executing unauthorized Pix transactions. And all this happens in the background, without the users knowledge, although it requires permission to use the Accessibility Service.
In addition, experts note that Malvari has a backup mechanism for manual control in case automation does not work.
