Cybersecurity researchers have found a new version of a well-known Android banking Trojan malware that offers a pretty creative method of hiding in plain sight.
PixPirate primarily targets Brazilian consumers with accounts on the Pix instant payment platform, which reportedly has more than 140 million customers and transacts worth $250 billion.
The goal of the campaign was to send the money to the attacker’s accounts. Typically, banking Trojans on Android would try to hide by changing their app icons and names. Often, the Trojans would adopt the ‘settings’ icon or something similar, tempting victims to look elsewhere, or simply be too scared to uninstall the app from their device. PixPirate, on the other hand, puts an end to that by not having an icon at all.
Running the malware
The big caveat here is that without the icon, the victims cannot launch the Trojan, leaving a crucial part of the equation to the attackers.
The campaign consists of two apps: the dropper and the “droppee”. The dropper is distributed on third-party stores, shady websites, and through social media channels, and is designed to deliver and execute the final payload (droppee) (after requesting accessibility and other permissions).
Droppee, PixPirate’s file name, exports a service that other apps can connect to. The dropper connects to that service, allowing it to execute the Trojan. Even after the dropper is removed, the malware can still run on its own under certain triggers (e.g., boot time, network changes, or other system events).
The entire process, from collecting user data to initiating money transfers, is automated and runs in the background without the victim’s knowledge or consent. The only thing standing in the way, the researchers claim, are the accessibility service permissions.
It’s also worth noting that this method only works on older versions of Android, up to Pie (9).
Through BleepingComputer