"Novel Banking Trojan 'PixPirate' Targets Brazil"
Security researchers at Cleafy have discovered a new Android banking Trojan dubbed "PixPirate" targeting financial institutions in Brazil between the end of 2022 and the beginning of this year. The researchers stated that PixPirate belongs to the newest generation of Android banking trojan, as it can perform ATS (automatic transfer system), enabling attackers to automate the insertion of a malicious money transfer over the Instant Payment platform Pix, adopted by multiple Brazilian banks. The researchers noted that the primary goal of this malware was to steal sensitive information and perpetrate fraud attempts on Pix users. PixPirate is usually delivered using a dropper application, used to download (or in some cases just to unpack) and install the banking trojan. The researchers noted that during its installation, PixPirate immediately tries to enable Accessibility Services that keep being requested persistently with fake pop-ups until the victim accepts. After these permissions were given, the threat actors were observed using PixPirate to write scripts that could interact with the device's UI and perform actions like entering text, simulating touch events, and scrolling through lists, among others. After inspecting the PixPirate code, the researchers identified a few references related to a framework called Auto.js. This is an open-source tool for automating tasks on Android devices using JavaScript. Auto.js also provides a built-in JavaScript interpreter, allowing scripts to run on the device itself without needing external runtime. The researchers noted that Auto.js represents a new framework for mobile banking Trojans that allows malicious actors to speed up the development phase via JavaScript automation scripts, web communication management features within the application, and built-in code encryption/obfuscation capabilities. The researchers warned that the "introduction of ATS capabilities paired with frameworks that will help the development of mobile applications using flexible and more widespread languages could lead to more sophisticated malware.
Infosecurity reports: "Novel Banking Trojan 'PixPirate' Targets Brazil"