The Italian cybersecurity company Cleafy, which has discovery malware in late 2022 and early 2023, is tracking it under the name of PixPirate.

What do the PixPirate experts tell us?

“PixPirate belongs to the new generation of Android banking trojans, as it can execute ats extension (Automatic Transfer System), allowing attackers to automate the entry of a malicious money transfer on the Pix instant payment platform, adopted by multiple Brazilian banks“, said the researchers Francesco Iubatti and Alessandro Strino.

It is also the latest addition to a long list of Android banking malware that abuses the operating system’s Accessibility Services APIs to perform its malicious functions, including disabling Google Play Protect, intercepting SMS messages, preventing uninstall and serving rogue ads via push notifications.

And that’s not all: among the damages of this malware there is also those of going to steal the passwords entered by users in banking applications, the bad guys behind the operation have exploited the obfuscation and encryption of the code using a framework known as Auto.js to resist reverse engineering efforts.

The dropper programs used to distribute PixPirate fall under the guise of authenticator applications, but there is no evidence that the applications have been published in the official Google Play Store.

The research results on this malware come more than a month after ThreatFabric revealed the details of another malware called BrasDexalso equipped with ATS capabilities, as well as having abused PIX to make fraudulent fund transfers.

“The introduction of ATS functionalities combined with frameworks that help the development of mobile applications, using flexible and more popular languages ​​(lowering the learning curve and development times), could lead to more sophisticated malware that, in the future, could be compared to their workstation counterparts“, said the researchers.

But that’s not all: further developments on the matter came as Cyble shed light on a new Android remote access trojan codenamed Gigabud RAT targeting users in three Asian countries, namely Thailand, Peru and the Philippines since at least July 2022 masquerading as banking and government applications.

“The RAT has advanced features such as screen recording and abuse of accessibility services to steal banking credentials“, said the researchers, pointing out its use of phishing sites as conduits for its distribution.

The Italian cybersecurity company also has revealed that these evil characters behind the dark web online store known as InTheBox they are advertising a catalog of 1,894 web injections compatible with various Android banking malware such as Alien, Cerberus, ERMAC, Hydra and Octo.

Web injection forms, mainly used for credential and sensitive data collection, are designed to target banking services, mobile payment services, cryptocurrency exchanges and mobile e-commerce applications in Asia, Europe, Middle East and the Americas.

It goes without saying that PixPirate is also part of this “happy family of malware”.

But in an even more troubling twist of fact it turns out that fraudulent apps have found a way to bypass defenses in both the Apple App Store and Google Play to perpetrate what is called a pig-slaughter scam called CryptoRom.

The technique involves using social engineering methods such as approaching victims via dating apps like Tinder to trick them into downloading fraudulent investment programs with the aim of stealing their money.

If for Android we have PixPirate which is a newcomer, the malicious iOS counterpart applications in question are Ace Pro and MBM_BitScan, both removed by Apple; it should be noted that an Android version of MBM_BitScan has also been removed by Google.

Cybersecurity firm Sophos, which made the discovery, said the iOS apps had a “revision evasion technique” that allowed malware authors to pass the verification process.

“Both apps we found used remote content to deliver their malicious functionality, content that was likely hidden until the App Store review was completed“, has stated Sophos researcher Jagadeesh Chandraiah.

Cryptocurrency scams began in China and Taiwan and have since expanded globally in recent years, with many operations carried out by special economic zones in Laos, Burma and Cambodia.

As of November 2022, the United States Department of Justice (DoJ) has announced the removal of seven domains in connection with a cryptocurrency scam that netted unknown malicious actors more than $10 million from five victims.

How to defend yourself from PixPirate?

As usual (and it doesn’t only apply to PixPirate), you have to learn how to check what you download when you surf the internet; if PixPirate and its “fellows” are able to circumvent antivirus and antimalware checks, at present the only one is pay attention.

So watch out for: