Cybersecurity researchers have found a new version of a well-known Android banking Trojan that features a rather creative method of hiding in plain sight.
PixPirate primarily targets Brazilian consumers with accounts on the Pix instant payment platform, which reportedly has more than 140 million customers and service transactions in excess of $250 billion.
The goal of the campaign was to divert the cash to accounts owned by the attackers. Typically, banking trojans on Android would try to hide themselves by changing their app icons and names. Often, Trojans would assume the “settings” icon, or something similar, tricking victims into looking elsewhere or simply making them too afraid to delete the app from their device. PixPirate, on the other hand, gets rid of all that by not having an icon in the first place.
Running the malware
The big caveat here is that without the icon, victims cannot launch the Trojan, so the crucial part of the equation is left to the attackers.
The campaign consists of two applications: the dropper and the “droppee.” The dropper is distributed on third-party stores, suspicious websites and through social media channels, and is designed to deliver the final payload (droppee) and execute it (after requesting accessibility and other permissions).
Droppee, which is the file name for PixPirate, exports a service that other applications can connect to. The dropper connects to that service, allowing it to execute the Trojan. Even after removing the dropper, the malware can still run on its own, under certain triggers (e.g., booting, network switching, or other system events).
The entire process, from collecting user credentials to initiating money transfer, is automated and takes place in the background without the victim's knowledge or consent. The only thing standing in the way, researchers say, are permissions from the Accessibility Service.
It is also worth mentioning that this method only works on older versions of Android, up to Pie (9).
Through beepcomputer
