PixPirate RAT Invisibly Triggers Wire Transfers From Android Devices

A multitooled Trojan cuts apart Brazils premier wire transfer app. Could similar malware do the same to Venmo, Zelle, or PayPal?

A sophisticated Brazilian banking Trojan is using a novel method for hiding its presence on Android devices.
PixPirate is a multipronged malware
specially crafted to exploit Pix, an app for making bank transfers developed by the Central Bank of Brazil. Pix makes a good target for
Brazil-nexus cybercriminals
since, despite being hardly 3 years old, its already integrated into most Brazilian banks online platforms and sports more than 150 million users
according to Statista
. Each month, it processes somewhere in the range of 3 billion transactions, totaling
around $250 billion
worth of Brazilian real.
PixPirates newest powerful trick, documented in
a new blog post from IBM
, is how it cleverly hides its presence on an Android device — no app icon, seemingly no footprint whatsoever — despite protections which Google engineers designed to prevent this specific thing from happening. And experts warn that a similar tactic could be employed by banking malware targeting the US and EU, as well.
PixPirate is a cutting-edge heir to the banking Trojans of yesteryear.
It typically spreads via a fake bank authentication app, sent to potential victims using WhatsApp or SMS. Clicking the link downloads a downloader, which then prompts the user to further download an updated version of the fake app (which is the PixPirate payload).
From the victims perspective, they are unaware of the PixPirate malware being installed by the downloader because in their eyes the downloader is legitimate. So, they are unlikely to suspect anything suspicious, explains Nir Somech, security mobile researcher at IBM Trusteer.
Once comfortably embedded in an Android phone, the malware sits and waits until a user opens up a real banking app. At that point, it springs into action, grabbing the login credentials they type in and sending them to an attacker-controlled command-and-control (C2) server. With account access in hand, it overlays a false second screen to the user, while it opens the banking app underneath, programmatically presses the buttons necessary to reach its Pix page, then executes an unauthorized transfer.
PixPirate also features dozens of other capabilities to ease this financial fraud, from pinpointing the devices location to keylogging, locking and unlocking its screen, accessing contacts and call histories, installing and deleting apps, persistence after reboots, and more.
However, its newest, most advanced feature lies in how it hides all evidence of itself from the user.
Traditionally, malicious apps have concealed their presence on compromised devices by simply hiding their home screen icons.
As of Android 10, however, this became impossible. Nowadays, all app icons must be visible, save for system apps, or those that dont seek permissions from the user.
Like
every cybersecurity advancement before it
, this positive change also served as a creative constraint. It enabled threat actors to adapt, which is what were seeing with this new mechanism, where the icon doesnt need concealing because it simply doesnt exist, says Somech.
By doesnt exist, he means that PixPirate has no main activity on the device — no launcher to begin with. How, then, does an app without a launcher launch?
The key is that, instead of the payload, the downloader is effectively the app that runs on the device. When it wants to, it launches the payload by creating and binding to an exported service capable of running it. Then the two continue to communicate, and they pass on malicious commands.
For persistence, after the first time its triggered by the downloader, the payload service also binds to other receivers, which are activated when certain other events trigger on the device.
According to IBM Trusteer, this is the first financial malware to ever use this method for running without an app icon.
In a statement to Dark Reading, a Google spokesperson noted: Based on our current detections, no apps containing this malware are found on Google Play. Android users are automatically protected against known versions of this malware by Google Play Protect, which is on by default on Android devices with Google Play Services. Google Play Protect can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Play.
For anyone worried that PixPirate might portend a threat to US banks and banking apps — such as Venmo, Zelle, and PayPal — there is both good and bad news.
The good news is that the malware is bespoke. PixPirate exploits specific functionalities and vulnerabilities within the Pix payment system, which may not directly apply to US payment apps with differing architectures and security mechanisms, explains Sarah Jones, cyber threat intelligence research analyst at Critical Start. Even if core functionalities could be adapted, the malwares reliance on abusing accessibility services might require modifications to align with different accessibility implementations used by US apps.
However, she warns, While an exact replica may face obstacles, the underlying techniques employed by PixPirate pose concerns for US payment systems. The concept of abusing accessibility services for malicious purposes could inspire attackers to target other vulnerable functionalities in US apps.
Thus, she concludes, while the direct threat of PixPirate to US payment systems may be limited, its emergence underscores the importance of proactive security measures in safeguarding sensitive financial information.
Story updated on March 14 with a statement from Google.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
PixPirate RAT Invisibly Triggers Wire Transfers From Android Devices