The malware only targets Brazilian financial systems for now but for how long?
A new banking Trojan for Android has targeted Brazilian financial institutions to commit fraud using the Pix payment platform. Italian cybersecurity company Cleafy, which discovered the malware late last year, is tracking it under the name PixPirate.
“PixPirate belongs to the latest generation of banking trojans for Android as it can act as an automatic transfer system (ATS). This feature allows attackers to automate the process of malicious money transfers through the Pix instant payment platform, actively used by several Brazilian banks,” Cleafy researchers said.
PixPirate adds to the long list of Android banking malware. All of them use vulnerabilities in the accessibility API of the operating system to perform their malicious actions, including disabling Google Play Protect, intercepting SMS messages, preventing their own deletion, displaying fraudulent ads through push notifications, etc.
In addition to stealing passwords entered by users in banking applications, the attackers behind the operation use code obfuscation and encryption using the Auto.js framework to counter the efforts of reverse engineering specialists (reverse engineering) and disclosure of the source code.

The dropper apps used to deliver PixPirate disguise themselves as authenticator apps, usually distributed via apk files on phishing sites. At the moment, there is no confirmation that these apps have been published on the official Google Play store.
Cleafy researchers express their concerns about the emergence of more complex malware in the near future, also using ATS technology.