Six New Android Malware Families Target Pix Payments and Banking Apps, Accelerating Financial Fraud Risks
Cybersecurity researchers have identified six new families of Android malware designed to steal data from compromised devices and facilitate financial fraud. This alarming trend highlights the increasing sophistication of cybercriminals targeting mobile banking systems.
Overview of New Malware Families
The newly discovered malware includes traditional banking trojans such as PixRevolution, TaxiSpy RAT, BeatBanker, Mirax, and Oblivion RAT, as well as a comprehensive remote administration tool known as SURXRAT. These threats are particularly concerning due to their ability to manipulate financial transactions and harvest sensitive information.
PixRevolution: A Targeted Attack on Brazil’s Payment System
PixRevolution specifically targets Brazil’s Pix instant payment platform. This malware hijacks money transfers in real-time, redirecting funds from victims to the attackers. According to Zimperium, the malware operates discreetly until a victim initiates a Pix transfer. The design of PixRevolution is unique; it involves a human or AI operator monitoring the victim’s device in real-time, ready to intervene during the transaction.
The malware spreads through counterfeit Google Play Store listings for popular apps like Expedia, Sicredi, and Correios. Once installed, these applications prompt users to enable accessibility services, which are crucial for the malware’s operation.
Mechanism of Action
PixRevolution connects to an external server over TCP on port 9000, sending periodic heartbeat messages that contain device information. It also activates real-time screen capture using Android’s MediaProjection API. The malware’s primary function is to monitor the victim’s screen and present a fake overlay when the victim inputs the payment amount and recipient’s Pix key.
During this process, the trojan displays a fake WebView overlay that instructs the victim to “wait.” In the background, it alters the recipient’s Pix key to that of the attacker, completing the fraudulent transaction. Victims often remain unaware of the theft until much later, as Pix transfers are instant and final, making recovery nearly impossible.
BeatBanker: A Persistent Threat
Another significant threat is BeatBanker, which primarily spreads through phishing attacks via a website masquerading as the Google Play Store. This malware employs an unusual persistence mechanism by playing an almost inaudible audio file on a loop, preventing it from being terminated.
BeatBanker includes a cryptocurrency miner and a banking trojan capable of hijacking devices and spoofing screens. When users attempt to make transactions, the malware creates overlay pages for platforms like Binance and Trust Wallet, covertly replacing the destination address with that of the attacker.
TaxiSpy RAT: Comprehensive Data Theft
TaxiSpy RAT operates similarly to PixRevolution, utilizing Android’s accessibility service and MediaProjection APIs to collect sensitive information such as SMS messages, contacts, call logs, and keystrokes. This malware targets banking, cryptocurrency, and government applications by serving overlays to steal credentials.
TaxiSpy combines traditional banking trojan functionality with full remote access capabilities, allowing attackers to gather sensitive data and execute commands via Firebase push messages. Recent samples have been discovered, indicating ongoing efforts by attackers to evade detection.
Mirax and Oblivion: Malware-as-a-Service Offerings
Mirax is marketed as a private malware-as-a-service (MaaS) offering, available for a monthly fee. It claims to provide banking overlays, information gathering, and a SOCKS5 proxy for routing malicious traffic.
In addition, Oblivion, another Android remote access trojan, is being sold for around $300 per month. It boasts features that bypass security measures on devices from major manufacturers, employing an automated permission-granting mechanism that requires no user interaction.
SURXRAT: Advanced Capabilities and AI Integration
SURXRAT is distributed through a Telegram-based MaaS ecosystem and is considered an improved version of the Arsink malware. It abuses accessibility permissions for persistent control and communicates with a Firebase-based command-and-control infrastructure.
Notably, some samples of SURXRAT contain a large language model (LLM) component, suggesting that threat actors are experimenting with AI capabilities alongside traditional surveillance methods. The malware can trigger the download of the LLM module based on specific gaming applications active on the victim’s device.
Conclusion
The emergence of these new Android malware families underscores the evolving landscape of cyber threats targeting financial systems. As cybercriminals continue to refine their tactics, users must remain vigilant and adopt robust security measures to protect their devices and financial information.
For further details, refer to the original reporting source at thehackernews.com.
