PixBankBlog ATS Blog

PixBankBot: New ATS-Based Malware Poses Threat to the Brazilian Banking Sector

Android Banking Trojan Targets Users Holding Over R$500

Pix, the instant payment platform, has revolutionized the way payments and transfers are carried out, offering unparalleled convenience to users. An impressive statistic provided by Banco Central do Brasil reveals that over 138 million users have transacted using Pix as of April 2023; it’s clear that its popularity continues to soar. However, as this innovative technology empowers users, it has also captured the attention of Threat Actors (TAs). Brazilian banks that utilize the Pix Instant Payment system are under constant siege from these relentless adversaries.

In the past six months, Cyble Research & Intelligence Labs (CRIL) has observed a rise in the occurrence of Android Banking Trojans that specifically focus on Brazilian banks, utilizing the Automated Transfer System (ATS) framework.

These trojans have integrated ATS into their operations to conduct fraudulent transactions on the devices of unsuspecting victims. The timeline depicted below illustrates the activity of the Android Banking Trojan’s targeting of Brazilian banks.

Figure 1 – Timeline of ATS-based Banking Trojan targeting Brazilian banks

The timeline reveals that BrasDex, uncovered in December 2022, remained operational in the wild for an extended duration. In contrast, the recently discovered PixPirate and GoatRAT banking Trojans are active and continue spreading, specifically targeting Brazilian banking users.

The Cyble Research and Intelligence Labs (CRIL) has been actively monitoring Android Banking Trojans and has recently identified a new variant, which we refer to as “PixBankBot”, based on the malware capability of abusing the Pix instant payment platform. The PixBankBot Banking Trojan has been designed with the specific purpose of targeting Brazilian banks, utilizing an ATS (Automated Transfer System) framework.

Like other ATS-based Banking Trojans, PixBankBot leverages the Accessibility Service to identify and track User Interface (UI) elements within targeted banking applications. This enables the malware to implement ATS functionality and execute fraudulent transactions on the victim’s device. Additionally, PixBankBot employs the Accessibility service for keylogging purposes. The malware captures logs of UI elements that the user interacts with, along with other details like account balance, money transfer details, and the specific bank being targeted.

A detailed analysis of the PixBankBot Banking Trojan has been demonstrated in the section below.

Technical Analysis 

APK Metadata Information  

  • App Name: Pdf
  • Package Name: liberdade.tec.com
  • SHA256 Hash: a35124dbbb2313dbc9152f44e0073d69d9baee5829b1d2c07e5490fcc1073ac1

  

The figure below shows the metadata information of the application. 

Figure 2 – Application metadata information

PixBankBot malware was observed pretending to be a PDF application. The malware cleverly utilizes the icon and name of a PDF app to appear genuine, enticing victims to install the malicious application.

Upon installation, PixBankBot Banking Trojan prompts the victim to enable the Accessibility Service, which is further abused by malware for keylogging and the ATS framework.

Figure 3 – Malware prompts for Accessibility Service

Once the Accessibility Service is enabled, in the background, the malware sends the basic device information such as device name, Android version, IP, and region to the Command & Control (C&C) server: hxxp://proctrt.sytes[.]net/tra/a.php.

Figure 4 – C&C communication

The PixBankBot Banking Trojan utilizes the Accessibility Service to identify the package name of the targeted application to which the victim is interacting. If the victim engages with any banking application mentioned in the table below, the malware initiates keylogging and executes the ATS.

Package nameApplication name
com.c6bank.appC6 Bank
com.nu.productionNubank: conta, cartão e mais
com.picpayPicPay: conta digital, cartão
br.com.uol.ps.myaccountPagBank Banco, Conta e mais
com.itauBanco Itaú: abrir conta online
com.mercadopago.walletMercado Pago: cuenta digital

Once the targeted bank application is detected, the malware starts another activity, creating a fake window on a genuine application.

This fake window serves to conceal the malicious activities of the malware from unsuspecting victims. However, in the background, the malware starts interacting with a legitimate banking application to carry out Automatic Fund Transfers.   

Figure 5 – Creating a fake window on the targeted application

Fetching Pix key

A Pix key is a unique identifier that facilitates quick and convenient transfers or payments. It is associated with the recipient’s bank account information, which allows the user to transfer or receive money easily.

In Brazil, there are five primary Pix key systems available to users:

  • Natural Persons Register (CPF)/National Registry of Legal Entities (CNPJ)
  • E-mail Address
  • Mobile phone number
  • QR code
  • System-generated unique key

The malware connects to the Pastebin URL: hxxps://Pastebin[.]com/raw/Eq9gf6US to retrieve the TA’s Pix key.

In this case, the malware receives different system-generated unique keys (UUID) encoded in base46 for targeted banking applications. The malware then employs these keys to carry out fund transfers.

The accompanying figure illustrates the process of the malware fetching the Pix key.

Figure 6 – Malware fetching Pix keys

After fetching the Pix key, the malware scans for the User Interface (UI) element that contains the word “chave” (which translates to “key”).

Once the malware successfully locates this specific element, it proceeds to insert the corresponding edit text field with the Pix key obtained from the server as shown in the figure below.

Figure 7 – Malware inserting the Pix key

The code depicted in the above figure is designed specifically for the ITAU bank. However, the malware scans different UI elements to locate the page related to the Pix key in the respective targeted banking application.

Transfer Amount Setup

After inserting the Pix key, the PixBankBot Banking Trojan utilizes the UI element “Saldo disponível” (translated as “Balance available”) to find out the balance amount in the victim’s account.

The malware retrieves the balance amount and then searches for another element, “R$”, which indicates to the malware that the legitimate banking application expects the transfer amount. The malware then inserts the transfer amount to carry out the transaction.

Figure 8 – Malware inserts transfer amount

Once the malware inserts the Pix key and transfer amount, it finishes the money transfer process by auto-clicking on the UI elements such as “continuar”, “confirmar”, “Confirmar valor”, “transferência” or “Pagar”.

Figure 9 – Auto-clicking UI elements to finish the money transfer

Furthermore, the malware also verifies the presence of UI elements associated with biometric confirmation. If the victim has enabled biometric verification for payment confirmation, the malware displays deceptive messages shown below to lure the victim into authenticating their fingerprints.

  • Por favor, confirme sua digital! (Please confirm your fingerprint!)”
  • Para finalizar a atualização do seu celular, precisamos que você coloque sua digital. É simples e seguro! Basta posicionar o dedo no sensor indicado e aguardar a confirmação. Assim, seu aparelho estará pronto para ser usado com todas as novidades e melhorias da atualização. (To finalize your mobile phone update, we need you to place your fingerprint. It’s simple and safe! Just place your finger on the indicated sensor and wait for confirmation. Thus, your device will be ready to be used with all the news and improvements of the update.)
Figure 10 – Luring victim into authenticating fingerprints

Sending Money Transfer Logs

Once the malware finishes the money transfer, it sends the transfer amount and the targeted bank name to the C&C server. Then it removes itself from the infected device to avoid being detected.

Figure 11 – Malware sending money transfer log and deleting itself

The TA(s) behind PixBot has skillfully monitored all the UI elements of the targeted banking application to implement an ATS framework and conduct fraudulent transactions on the victim’s device.

Additionally, the TA has taken further precautions to remove the malicious application from the infected device under specific circumstances. For instance, if the account balance falls below the Brazilian Real R$500.00 amount or if a money transfer has been successfully completed, the application removes itself to avoid drawing the victim’s attention or arousing suspicion.

Conclusion

The rise in the variants of ATS-based Android Banking Trojans such as BrasDex, PixPirate, GoatRAT, and the recently discovered PixBankBot targeting Brazilian banks, highlights the evolving threats faced by financial institutions in the age of digital payments. The popularity and convenience of the Pix Instant Payment platform have made it an attractive target for cybercriminals seeking to exploit its widespread adoption in the Latin American user base.

These trojans can execute fraudulent transactions and collect sensitive user information by integrating the ATS framework. They leverage Accessibility Services to carry out their malicious activities discreetly without requiring user interaction. Additionally, these trojans employ tactics to remove themselves from infected devices, ensuring that they remain undetected.

The persistent evolution of these malware variants indicates the likelihood of new Android Banking Trojans being discovered incorporating advanced features such as ATS, specifically targeting Brazilian banks. Users and financial institutions must remain vigilant to avoid falling victim to these emerging threats.

Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:

  • Download and install software only from official app stores like Google Play Store or the iOS App Store.
  • Use a reputed antivirus and internet security software package on your connected devices, such as PCs, laptops, and mobile devices.
  • Never share your Card Details, CVV number, Card PIN, and Net Banking Credentials with an untrusted source.
  • Use strong passwords and enforce multi-factor authentication wherever possible.
  • Enable biometric security features such as fingerprint or facial recognition for unlocking the mobile device where possible.
  • Be wary of opening any links received via SMS or emails delivered to your phone.
  • Ensure that Google Play Protect is enabled on Android devices.
  • Be careful while enabling any permissions.
  • Keep your devices, operating systems, and applications updated.

MITRE ATT&CK® Techniques

TacticTechnique IDTechnique Name
Initial AccessT1476Deliver Malicious App via Other Means.
Initial AccessT1444Masquerade as a Legitimate Application
CollectionT1417Input Capture
DiscoveryT1418Application discovery
Defense EvasionT1508Suppress Application Icon
Defense EvasionT1576Uninstall Malicious Application

Indicators of Compromise (IOCs)

IndicatorsIndicator TypeDescription
a35124dbbb2313dbc9152f44e0073d69d9baee5829b1d2c07e5490fcc1073ac1

SHA256  PixBankBot malware hash
8995dc1b421ab52eafd7d8d6d50b00cf7c49eef2SHA1  PixBankBot malware hash
cc6de8f780b80152b6e19ca4a589a4dfMD5PixBankBot malware hash
hxxp://proctrt.sytes[.]net/tra/a.phpURLPixBankBot C&C server
6a5987be0fd287dd0acef8f8258af34411a2c3fb9b45b47868ef6a81826bfdbaSHA256  PixBankBot malware hash
05dd899eafcf02428e1277fa67b865aa049c121fSHA1  PixBankBot malware hash
473827603fa45b5be6372400ee437409MD5PixBankBot malware hash
444820474e56efd7fd39000e3f12fe7b0477dba34e8b28f9561890bc8cec6859SHA256  PixBankBot malware hash
acdb1dfb4849365e2d176baf96dd0fa15a65eacdSHA1  PixBankBot malware hash
dbb1906ee058b7c8a719ea0e60e2e4c0MD5PixBankBot malware hash
0ac1904276cc3884634daece73fcaf5fa9dff8d6514d91bab6c7379b251a9aa9SHA256  PixBankBot malware hash
069b773e8d87ef7c1a09178b936c4d8c705a1ba4SHA1  PixBankBot malware hash
d32c7c09c32d1494802e48b2111ae840MD5PixBankBot malware hash

Comments are closed.

Scroll to Top