Rewterz Threat Alert – Android Banking Trojan ‘PixPirate’ Targets Brazilian Users Using New Evasion Tactic – Active IOCs

Severity

High

Analysis Summary

The PixPirate Android banking trojan has evolved with new evasion techniques, making it more challenging to detect and remove from compromised devices. By hiding its icon from the home screen, PixPirate can operate stealthily in the background to conduct malicious activities without the victim’s awareness.

This development underscores the sophistication of modern malware and the ongoing arms race between cybercriminals and security researchers. Researchers highlighted the concerning capabilities of PixPirate such as leveraging Android’s accessibility services to perform unauthorized fund transfers via the PIX instant payment platform and stealing sensitive banking and credit card information.

The distribution method of PixPirate involves a dropper app that installs the main payload responsible for fraudulent activities. Unlike traditional malware setups where the dropper becomes irrelevant after deployment, PixPirate’s dropper actively communicates with the droppee and executes commands for the malicious payload. This active collaboration between the downloader and the droppee enhances the trojan’s capabilities and persistence on infected devices, making it a formidable threat to users’ financial security.

One notable change in PixPirate’s latest version is its ability to run without the typical activity that launches apps from the home screen, making it even harder for users to detect its presence. The trojan’s use of receivers triggered by system events ensures that it remains active and hidden even if the initial downloader is removed. This technique emphasizes the trojan’s intent to maintain long-term access to compromised devices, highlighting the importance of robust cybersecurity measures and vigilant device monitoring by users and security professionals alike.

The evolving threat landscape is not limited to PixPirate alone as evidenced by the emergence of the Fakext malware targeting Latin American banks. Fakext utilizes a rogue Microsoft Edge extension named SATiD to carry out man-in-the-browser attacks to steal banking credentials. The malware’s use of legitimate-looking prompts such as impersonating a bank’s IT support team demonstrates the social engineering tactics employed by threat actors to deceive users and carry out financial fraud.

The takedown of the malicious extension from the Edge Add-ons store highlights the ongoing efforts by cybersecurity teams and platform providers to combat such threats but it also underscores the need for continuous vigilance and proactive security measures to protect against evolving malware threats.

Impact

• Credential Theft
• Financial Loss
• Command Execution

Indicators of Compromise

MD5

• a69c22d79d15ad85ad2bdcbd18834c33
• 5184c31619901293903173c4ca98610a

SHA-256

• 019a5c8c724e490df29020c1854c5b015413c9f39af640f7b34190fd4c989e81
• 9360f2ee1db89f9bac13f8de427a7b89c24919361dcd004c40c95859c8ce6a79

SHA-1

• 1e9b28b6cee2825cc6c4f242220ceb46722dc80d
• f87283547e4267709118e40763c6a6f00abfe9aa

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Never trust or open links and attachments received from unknown sources/senders.
• Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
• Keep operating systems and software up to date as banking trojans often exploit vulnerabilities in software and operating systems. Keeping these up to date can help prevent vulnerabilities from being exploited.
• Implement strong password policies: banking malware often relies on stolen login credentials to access sensitive information. Implementing strong password policies and multifactor authentication can make it more difficult for attackers to gain access.
• Provide regular security awareness training for employees that can help them recognize phishing emails and other types of social engineering attacks that are commonly used to spread banking malware.
• Maintain daily backups of all computer networks and servers.