The latest iteration of the PixPirate banking trojan for Android has introduced a novel method to evade detection and remain active on devices, even after its dropper application has been removed.
PixPirate, a recently discovered Android malware primarily targeting Latin American banks, was initially identified by the Cleafy Threat Intelligence and Research (TIR) team last month. However, the specifics of its hiding and persistence mechanisms were not detailed in their report or were only recently implemented.
A new analysis by IBM reveals that instead of following the conventional approach of concealing its icon, as seen in earlier versions, PixPirate now operates without a launcher icon. This innovation allows the malware to remain undetected across recent Android releases, including up to version 14.
However, the absence of an icon presents a practical challenge for victims in launching the malware.
According to IBM Trusteer researchers, the latest PixPirate variants employ two distinct applications that collaborate to steal information from compromised devices.
The initial app, referred to as the 'downloader,' is disseminated through APKs (Android Package Files) distributed via phishing messages sent through platforms like WhatsApp or SMS.
Upon installation, the downloader requests permissions, including Accessibility Services, and subsequently downloads and installs the second app, named 'droppee,' which harbours the encrypted PixPirate banking malware.
Unlike traditional malware, the 'droppee' app does not declare a main activity, preventing the appearance of an icon on the device's home screen and rendering it completely invisible.
Instead, the droppee app exports a service that other apps can connect to. The downloader app establishes a connection to this service to trigger the launch of the PixPirate malware when needed.
Even if users uninstall the downloader app, PixPirate can persist and execute based on various device events, maintaining its stealthy presence.
PixPirate primarily targets the Brazilian instant payment platform Pix, aiming to divert funds to attackers through intercepting or initiating fraudulent transactions.
IBM notes the widespread popularity of Pix in Brazil, with over 140 million users conducting transactions exceeding $250 billion as of March 2023.
The trojan's Remote Access Trojan (RAT) capabilities enable automated fraud processes, including capturing user credentials and two-factor authentication codes and executing unauthorized Pix money transfers covertly.
Accessibility Service permissions are required for these operations. Additionally, a manual control mechanism serves as a fallback in case automated methods fail, providing attackers with an alternative route for on-device fraud.
Previous reports highlighted PixPirate's utilization of push notification malvertising and its ability to disable Google Play Protect, a core security feature of Android.
While the infection vector for PixPirate is not novel and can be mitigated by avoiding APK downloads, the absence of an icon and the registration of services bound to system events represent a concerning advancement in its evasion tactics.
