Researchers have traced an Android financial trojan dubbed “PixBankBot” that accesses and abuses the popular Brazilian instant payment platform Pix.
The Android trojan PixBankBot is built on the ATS framework and uses the Accessibility Service to identify and track User Interface (UI) elements within targeted financial apps, particularly the instant payment platform Pix.
By doing so, PixBankBot can execute fraudulent transactions and capture sensitive information including worth balances and money transfer details, found Cyble Research & Intelligence Labs (CRIL) researchers.
“An impressive statistic provided by Banco Central do Brasil reveals that over 138 million users have transacted using Pix as of April 2023; it’s well-spoken that its popularity continues to soar,” said the CRIL report.
“However, as this innovative technology empowers users, it has moreover captured the sustentation of Threat Actors (TAs).”
PixBankBot: Pix and the popularity bane
Pix is a fast and user-friendly instant payment platform ripened and overseen by the Central Wall of Brazil (BCB), the country’s monetary authority.
The Central Wall of Brazil internally designed and created the “Pix” trademark name and logo in 2020.
Launched in the summer of 2019 and officially operational since November 16, 2020, Pix enables users to swiftly execute various types of payments and transfers.
Brazilian banks utilizing the Pix Instant Payment system are facing an ongoing onslaught from these relentless adversaries, the CRIL research report warned.
In the past six months, Cyble Research & Intelligence Labs (CRIL) has witnessed a surge in Android financial trojans specifically tailored to Brazilian banks.
Timeline of ATS-based Financial Trojan targeting Brazilian banks – CRIL
The cases spotted recently include the Chameleon Android financial trojan, which targeted mobile users to capture SMS messages and maintain persistence, and ‘Zanubis’, which targeted over 40 financial applications from Peru.
These trojans employ the Automated Transfer System (ATS) framework to siphon out fraudulent transactions, posing a significant threat to the country’s financial sector.
Among the recent discoveries, PixBankBot has emerged as a new variant that specifically targets online services of Brazilian bank, expressly Pix.
PixBankBot: How it works
The PixBankBot malware disguises itself as a PDF application, utilizing the icon and name of a genuine PDF app to deceive victims into installing the malicious software.
Once installed, the malware prompts users to enable the Accessibility Service, which it then abuses for keylogging and executing the ATS framework.
Malware prompts for Accessibility Service – CRIL
Upon enabling the Accessibility Service, the malware secretly sends vital device information such as device name, Android version, IP address, and region to a Command & Control (C&C) server.
The PixBankBot trojan utilizes the Accessibility Service to identify the package name of the targeted financial application.
If the victim interacts with any of the financial applications listed in the provided table, the malware initiates keylogging and begins executing the ATS.
To remoter mask its activities, PixBankBot creates a fake window on a genuine financial application, ensuring the victim remains unaware of the malicious deportment taking place in the background.
Meanwhile, the malware interacts with the legitimate financial using to siphon out will-less fund transfers.
PixBankBot: Cashing in on transfers
Fund transfers are facilitated through Pix keys, which serve as unique identifiers associated with recipients’ wall worth information. The malware connects to a Pastebin URL to retrieve the Threat Actors’ (TA’s) Pix key.
Each targeted financial using receives variegated system-generated unique keys (UUID) encoded in base46, enabling the malware to execute fund transfers.
To insert the fetched Pix key, the malware scans for UI elements containing the word “chave” (which ways “key” in Portuguese).
Once located, the malware inserts the Pix key into the respective edit text field, obtained from the server.
The specific lawmaking demonstrated in the report is designed for the ITAU bank, although the malware scans variegated UI elements to find the page related to the Pix key in other targeted financial applications.
“Once the malware finishes the money transfer, it sends the transfer value and the targeted wall name to the C&C server. Then it removes itself from the infected device to stave stuff detected,” said the report.
“The TA(s) overdue PixBot has skillfully monitored all the UI elements of the targeted financial using to implement an ATS framework and self-mastery fraudulent transactions on the victim’s device,” it added.
Moreover, the threat two-face (TA) has implemented spare measures to uninstall the malicious using from the compromised device in unrepealable situations.
