Cybersecurity researchers have discovered half-a-dozen new Android malware families that come with capabilities to steal data from compromised devices and conduct financial fraud.
The Android malware range from traditional banking trojans like PixRevolution, TaxiSpy RAT, BeatBanker, Mirax, and Oblivion RAT to full-fledged remote administration tools such as SURXRAT.
PixRevolution, according to Zimperium, targets Brazil’s Pix instant payment platform, hijacking victims’ money transfers in real-time to route them to the threat actors instead of the intended payee.
“This new strain of malware operates stealthily within the device until the moment the victim initiates a Pix transfer,” security researcher Aazim Yaswant said. “What distinguishes this threat from conventional banking trojans is its fundamental design: a human or AI agent operator is actively engaged on the remote end, observing the victim’s phone screen instantaneously, poised to act at the precise moment of transaction.”
The Android malware propagates via fake Google Play Store app listing pages for apps like Expedia, Sicredi, and Correios to trick users into installing the malicious dropper APK files. Once installed, the apps urge users to enable accessibility services to realize their goals.
It also connects to an external server over TCP on port 9000 to send periodic heartbeat messages containing device information and activate real-time screen capture using Android’s MediaProjection API. The main functionality of PixRevolution, though, is the monitoring of the victim’s screen and serving a fake overlay as soon as a victim enters the desired amount and the Pix key of the recipient to initiate the payment.
At that point, the trojan shows a fake WebView overlay that says “Aguarde…” (meaning “wait” in Portuguese/Spanish), while, in the background, it edits the Pix key with that of the attacker’s to complete the funds transfer. In the final stage, the overlay is removed, and the victim is displayed a “transfer complete” confirmation screen in the Pix app.
“From the victim’s perspective, nothing unusual happened,” Yaswant said. “The app briefly showed a loading indicator, something that occurs routinely during legitimate banking operations. The transfer was confirmed successfully. The amount they intended to send was deducted from their account.”
“It is only later, sometimes much later, that the victim discovers the money went to the wrong account. And because Pix transfers are instant and final, recovery is extraordinarily difficult.”
Brazilian users have also become the target of another Android‑based malware campaign called BeatBanker, which spreads primarily through phishing attacks via a website disguised as the Google Play Store. BeatBanker gets its name from the use of an unusual persistence mechanism that involves playing an almost inaudible audio file, a 5-second recording featuring Chinese words, on a loop to prevent it from being terminated.
Besides incorporating…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
