The PixPirate Android banking trojan threat actors have found a new way to avoid detection and gather sensitive information from Brazilian users.
IBM revealed in a recent technical report that the tactic involves hiding the malicious app’s icon from the victim’s device home screen.
“This new technique enables PixPirate to carry out its malicious operations in the background during reconnaissance and attack phases without the victim being aware of it,” stated security researcher Nir Somech explained.
Cleafy first reported PixPirate in February 2023, noting its use of Android’s accessibility services to conduct unauthorized transactions through the PIX instant payment platform when a targeted banking app is opened.
In addition to stealing banking credentials and credit card details, PixPirate can capture keystrokes and intercept SMS messages for two-factor authentication codes.
The malware is usually distributed via SMS and WhatsApp, with a dropper app used to install the main payload for fraudulent activities.
Unlike previous versions, the latest iteration of the payload no longer displays the app’s icon on the home screen, making it difficult for users to launch it directly.
To ensure persistence, PixPirate requires both the downloader and the main payload to work together, communicating and executing commands to carry out malicious activities.
Latin American banks are also facing a new threat from the Fakext malware, which uses a rogue Microsoft Edge extension called SATiD to perform man-in-the-browser attacks and steal bank credentials.
Fakext has been active since November 2023 and targets banks in Mexico, prompting victims to download a fake remote access tool under the guise of IT support.
The campaign has affected 14 banks in the region, leading to the removal of the malicious extension from the Edge Add-ons store.
