PixStealer Targets Customers of the Brazilian PagBank

Nowadays, the banking industry is heavily digitalized, and this opens loads of new opportunities for cybercriminals. One region, in particular, is heavily affected by banking Trojans of all sorts – Latin America. Recently, a new malware family was detected in the region. The threat, dubbed PixStealer, is an Android Banking Trojan that has a very peculiar attack method.

PixStealer appears to be a very simple project, but this does not mean that it is not efficient at what it does. Thanks to keeping its features to a bare minimum, its creators hope to evade the majority of Android's security features. To make matters even worse, the PixStealer was temporarily hosted on the official Google Play Store, potentially infecting thousands of users in Brazil. This particular malware was hidden under the app PagBank Cashback and, as the name suggests, it targeted users of the PagBank financial institution. This institution only operates in Brazil, and it uses some very robust security features to protect the funds of its customers. However, PixStealer may get around these features by using a simple yet efficient method to siphon funds out of the victim's accounts.

Limited Features Make PixStealer Stealthier than Other Trojans

For starters, PixStealer does not have the ability to communicate with a remote server. Often, Android Trojans need this functionality in order to transmit data, and receive further instructions. However, PixStealer works in offline mode, and it only needs permission to use the 'Android Accessibility Service' in order to function. The victim might easily grant it such permissions, because they are under the impression that they are interacting with a legitimate PagBank app.

Once users open the malicious app, it starts instructions then what to do next, with the use of misleading prompts. Victims must first open the legit PagBank app for 'synchronization.' When this happens, the PixStealer Trojan will log the victim's available funds and store it for later use. After this, it shows a fake overlay, asking the user to wait until the synchronization is complete. This step is very important, because it prevents the user from seeing what is happening in the background. PixStealer interacts with the legit PagBank software to siphon out the victim's funds to the attacker's account.

Typically, this type of transfer requires multiple types of verification – 2FA via SMS, document upload, and even a selfie with the camera. However, since the transfer happens from the user's real device, PagBank may not use such robust verification measures – they are under the impression that all activity is legitimate. Currently, the PixStealer only works with the Brazil-based PagBank. However, it would not be a surprise if its creators create tailored versions to go after other popular Android banking applications. Stay safe from such attacks by utilizing reputable Android antivirus services.