Android

The latest version of the PixPirate banking trojan for Android employs a new method to hide on phones while remaining active, even if its dropper app has been removed.

PixPirate is a new Android malware first documented by the Cleafy TIR team last month seen targeting Latin American banks.

Though Cleafy noted that a separate downloader app launches the malware, the report didn't delve into its innovative hiding or persistence mechanisms, or these were introduced only recently.

Icons used by dropper apps
Icons used by dropper apps (Cleafy)

A new report by IBM explains that contrary to the standard tactic of malware attempting to hide its icon, which is possible on Android versions up to 9, PixPirate does not use a launcher icon. This enables the malware to remain hidden on all recent Android releases up to version 14.

However, not using an icon at all creates the practical problem of not giving the victim a way to launch the malware.

IBM Trusteer researchers explain that the new PixPirate versions utilize two different apps that work together to steal information from devices.

The first app is known as a 'downloader' and is distributed through APKs (Android Package Files) that are spread via phishing messages sent on WhatsApp or SMS.

This downloader app requests access to risky permissions upon installation, including Accessibility Services, and then proceeds to download and install the second app (named 'droppee'), which is the encrypted PixPirate banking malware.

The 'droppee' app does not declare a main activity with "android.intent.action.MAIN" and "android.intent.category.LAUNCHER" in its manifest, so no icon appears on the home screen, making it completely invisible.

Instead, the droppee app exports a service that other apps can connect to, which the downloader connects to when it wants to trigger the launch of the PixPirate malware.

Apart from the dropper app that can launch and control the malware, these triggers could be device boot, connectivity changes, or other system events that PixPirate listens for, allowing it to execute in the background.

Service declaration (top) and event binding (bottom)
Service declaration (top) and event binding (bottom) (IBM)

"The droppee has a service called "com.companian.date.sepherd" exported and holds an intent-filter with the custom action 'com.ticket.stage.Service.'," explains IBM's analysts.

"When the downloader wants to run the droppee, it creates and binds to this droppee service using the API "BindService" with the flag "BIND_AUTO_CREATE" that creates and runs the droppee service."

"After the creation and binding of the droppee service, the droppee APK is launched and starts to operate."

Even if the victim removes the downloader app from the device, PixPirate can continue to launch based on different device events and hide its existence from the user.

Hidden money transfers

The malware targets the Brazilian instant payment platform Pix, attempting to divert funds to attackers by intercepting or initiating fraudulent transactions.

IBM says Pix is very popular in Brazil, where over 140 million people use it to conduct transactions that have exceeded $250 billion as of March 2023.

PixPirate's RAT capabilities allow it to automate the entire fraud process, from capturing user credentials and two-factor authentication codes to executing unauthorized Pix money transfers, all in the background without users' knowledge. However, Accessibility Service permissions are required for this.

There's also a fallback manual control mechanism for when the automated methods fail, giving the attackers another channel to perform on-device fraud.

Cleafy's report from last month also highlighted the use of push notification malvertising and the malware's capability to disable Google Play Protect, one of Android's core security features.

Though PixPirate's infection method isn't novel and can be easily remediated by avoiding APK downloads, not using an icon and registering services bound to system events is an alarming new strategy.

BleepingComputer has contacted Google for a comment on whether it plans to introduce any measures that block this tactic, and a spokesperson has sent us the following statement:

Based on our current detections, no apps containing this malware are found on Google Play.

Android users are automatically protected against known versions of this malware by Google Play Protect, which is on by default on Android devices with Google Play Services.

Google Play Protect can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Play. - A Google spokesperson

Update 3/14 - Added Google statement

Related Articles:

New Medusa malware variants target Android users in seven countries

Over 90 malicious Android apps with 5.5M installs found on Google Play

Finland warns of Android malware attacks breaching bank accounts

Rafel RAT targets outdated Android phones in ransomware attacks

Snowblind malware abuses Android security feature to bypass security