Android Banking Trojan Targets Users Holding Over R$500
Pix, the instant payment platform, has revolutionized the way payments and transfers are carried out, offering unparalleled convenience to users. An impressive statistic provided by Banco Central do Brasil reveals that over 138 million users have transacted using Pix as of April 2023; it’s clear that its popularity continues to soar. However, as this innovative technology empowers users, it has also captured the attention of Threat Actors (TAs). Brazilian banks that utilize the Pix Instant Payment system are under constant siege from these relentless adversaries.
In the past six months, Cyble Research & Intelligence Labs (CRIL) has observed a rise in the occurrence of Android Banking Trojans that specifically focus on Brazilian banks, utilizing the Automated Transfer System (ATS) framework.
These trojans have integrated ATS into their operations to conduct fraudulent transactions on the devices of unsuspecting victims. The timeline depicted below illustrates the activity of the Android Banking Trojan’s targeting of Brazilian banks.
The timeline reveals that BrasDex, uncovered in December 2022, remained operational in the wild for an extended duration. In contrast, the recently discovered PixPirate and GoatRAT banking Trojans are active and continue spreading, specifically targeting Brazilian banking users.
The Cyble Research and Intelligence Labs (CRIL) has been actively monitoring Android Banking Trojans and has recently identified a new variant, which we refer to as “PixBankBot”, based on the malware capability of abusing the Pix instant payment platform. The PixBankBot Banking Trojan has been designed with the specific purpose of targeting Brazilian banks, utilizing an ATS (Automated Transfer System) framework.
Like other ATS-based Banking Trojans, PixBankBot leverages the Accessibility Service to identify and track User Interface (UI) elements within targeted banking applications. This enables the malware to implement ATS functionality and execute fraudulent transactions on the victim’s device. Additionally, PixBankBot employs the Accessibility service for keylogging purposes. The malware captures logs of UI elements that the user interacts with, along with other details like account balance, money transfer details, and the specific bank being targeted.
A detailed analysis of the PixBankBot Banking Trojan has been demonstrated in the section below.
APK Metadata Information
- App Name: Pdf
- Package Name: liberdade.tec.com
- SHA256 Hash: a35124dbbb2313dbc9152f44e0073d69d9baee5829b1d2c07e5490fcc1073ac1
The figure below shows the metadata information of the application.
PixBankBot malware was observed pretending to be a PDF application. The malware cleverly utilizes the icon and name of a PDF app to appear genuine, enticing victims to install the malicious application.
Upon installation, PixBankBot Banking Trojan prompts the victim to enable the Accessibility Service, which is further abused by malware for keylogging and the ATS framework.
Once the Accessibility Service is enabled, in the background, the malware sends the basic device information such as device name, Android version, IP, and region to the Command & Control (C&C) server: hxxp://proctrt.sytes[.]net/tra/a.php.
The PixBankBot Banking Trojan utilizes the Accessibility Service to identify the package name of the targeted application to which the victim is interacting. If the victim engages with any banking application mentioned in the table below, the malware initiates keylogging and executes the ATS.
|Package name||Application name|
|com.nu.production||Nubank: conta, cartão e mais|
|com.picpay||PicPay: conta digital, cartão|
|br.com.uol.ps.myaccount||PagBank Banco, Conta e mais|
|com.itau||Banco Itaú: abrir conta online|
|com.mercadopago.wallet||Mercado Pago: cuenta digital|
Once the targeted bank application is detected, the malware starts another activity, creating a fake window on a genuine application.
This fake window serves to conceal the malicious activities of the malware from unsuspecting victims. However, in the background, the malware starts interacting with a legitimate banking application to carry out Automatic Fund Transfers.
Fetching Pix key
A Pix key is a unique identifier that facilitates quick and convenient transfers or payments. It is associated with the recipient’s bank account information, which allows the user to transfer or receive money easily.
In Brazil, there are five primary Pix key systems available to users:
- Natural Persons Register (CPF)/National Registry of Legal Entities (CNPJ)
- E-mail Address
- Mobile phone number
- QR code
- System-generated unique key
The malware connects to the Pastebin URL: hxxps://Pastebin[.]com/raw/Eq9gf6US to retrieve the TA’s Pix key.
In this case, the malware receives different system-generated unique keys (UUID) encoded in base46 for targeted banking applications. The malware then employs these keys to carry out fund transfers.
The accompanying figure illustrates the process of the malware fetching the Pix key.
After fetching the Pix key, the malware scans for the User Interface (UI) element that contains the word “chave” (which translates to “key”).
Once the malware successfully locates this specific element, it proceeds to insert the corresponding edit text field with the Pix key obtained from the server as shown in the figure below.
The code depicted in the above figure is designed specifically for the ITAU bank. However, the malware scans different UI elements to locate the page related to the Pix key in the respective targeted banking application.
Transfer Amount Setup
After inserting the Pix key, the PixBankBot Banking Trojan utilizes the UI element “Saldo disponível” (translated as “Balance available”) to find out the balance amount in the victim’s account.
The malware retrieves the balance amount and then searches for another element, “R$”, which indicates to the malware that the legitimate banking application expects the transfer amount. The malware then inserts the transfer amount to carry out the transaction.
Once the malware inserts the Pix key and transfer amount, it finishes the money transfer process by auto-clicking on the UI elements such as “continuar”, “confirmar”, “Confirmar valor”, “transferência” or “Pagar”.
Furthermore, the malware also verifies the presence of UI elements associated with biometric confirmation. If the victim has enabled biometric verification for payment confirmation, the malware displays deceptive messages shown below to lure the victim into authenticating their fingerprints.
- Por favor, confirme sua digital! (Please confirm your fingerprint!)”
- Para finalizar a atualização do seu celular, precisamos que você coloque sua digital. É simples e seguro! Basta posicionar o dedo no sensor indicado e aguardar a confirmação. Assim, seu aparelho estará pronto para ser usado com todas as novidades e melhorias da atualização. (To finalize your mobile phone update, we need you to place your fingerprint. It’s simple and safe! Just place your finger on the indicated sensor and wait for confirmation. Thus, your device will be ready to be used with all the news and improvements of the update.)
Sending Money Transfer Logs
Once the malware finishes the money transfer, it sends the transfer amount and the targeted bank name to the C&C server. Then it removes itself from the infected device to avoid being detected.
The TA(s) behind PixBot has skillfully monitored all the UI elements of the targeted banking application to implement an ATS framework and conduct fraudulent transactions on the victim’s device.
Additionally, the TA has taken further precautions to remove the malicious application from the infected device under specific circumstances. For instance, if the account balance falls below the Brazilian Real R$500.00 amount or if a money transfer has been successfully completed, the application removes itself to avoid drawing the victim’s attention or arousing suspicion.
The rise in the variants of ATS-based Android Banking Trojans such as BrasDex, PixPirate, GoatRAT, and the recently discovered PixBankBot targeting Brazilian banks, highlights the evolving threats faced by financial institutions in the age of digital payments. The popularity and convenience of the Pix Instant Payment platform have made it an attractive target for cybercriminals seeking to exploit its widespread adoption in the Latin American user base.
These trojans can execute fraudulent transactions and collect sensitive user information by integrating the ATS framework. They leverage Accessibility Services to carry out their malicious activities discreetly without requiring user interaction. Additionally, these trojans employ tactics to remove themselves from infected devices, ensuring that they remain undetected.
The persistent evolution of these malware variants indicates the likelihood of new Android Banking Trojans being discovered incorporating advanced features such as ATS, specifically targeting Brazilian banks. Users and financial institutions must remain vigilant to avoid falling victim to these emerging threats.
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
- Download and install software only from official app stores like Google Play Store or the iOS App Store.
- Use a reputed antivirus and internet security software package on your connected devices, such as PCs, laptops, and mobile devices.
- Never share your Card Details, CVV number, Card PIN, and Net Banking Credentials with an untrusted source.
- Use strong passwords and enforce multi-factor authentication wherever possible.
- Enable biometric security features such as fingerprint or facial recognition for unlocking the mobile device where possible.
- Be wary of opening any links received via SMS or emails delivered to your phone.
- Ensure that Google Play Protect is enabled on Android devices.
- Be careful while enabling any permissions.
- Keep your devices, operating systems, and applications updated.
MITRE ATT&CK® Techniques
|Tactic||Technique ID||Technique Name|
|Initial Access||T1476||Deliver Malicious App via Other Means.|
|Initial Access||T1444||Masquerade as a Legitimate Application|
|Defense Evasion||T1508||Suppress Application Icon|
|Defense Evasion||T1576||Uninstall Malicious Application|
Indicators of Compromise (IOCs)
|a35124dbbb2313dbc9152f44e0073d69d9baee5829b1d2c07e5490fcc1073ac1||SHA256||PixBankBot malware hash|
|8995dc1b421ab52eafd7d8d6d50b00cf7c49eef2||SHA1||PixBankBot malware hash|
|cc6de8f780b80152b6e19ca4a589a4df||MD5||PixBankBot malware hash|
|hxxp://proctrt.sytes[.]net/tra/a.php||URL||PixBankBot C&C server|
|6a5987be0fd287dd0acef8f8258af34411a2c3fb9b45b47868ef6a81826bfdba||SHA256||PixBankBot malware hash|
|05dd899eafcf02428e1277fa67b865aa049c121f||SHA1||PixBankBot malware hash|
|473827603fa45b5be6372400ee437409||MD5||PixBankBot malware hash|
|444820474e56efd7fd39000e3f12fe7b0477dba34e8b28f9561890bc8cec6859||SHA256||PixBankBot malware hash|
|acdb1dfb4849365e2d176baf96dd0fa15a65eacd||SHA1||PixBankBot malware hash|
|dbb1906ee058b7c8a719ea0e60e2e4c0||MD5||PixBankBot malware hash|
|0ac1904276cc3884634daece73fcaf5fa9dff8d6514d91bab6c7379b251a9aa9||SHA256||PixBankBot malware hash|
|069b773e8d87ef7c1a09178b936c4d8c705a1ba4||SHA1||PixBankBot malware hash|
|d32c7c09c32d1494802e48b2111ae840||MD5||PixBankBot malware hash|