PixPirate - Advanced Android Threat Targets Brazilian Financial Organizations

The PixPirate campaign

• The malware is delivered under the pretense of fake authenticator apps, possibly via third-party app stores. It uses fake names, such as Key Authenticator / Updated Key Authenticator, and icons to lure victims into downloading the apps.
• Upon installation, it asks for permissions for Accessibility Services, which are then used for further malicious activities such as intercepting and deleting SMS, intercepting banking credentials, and disabling Google Play Protect.
• Furthermore, it performs Automatic Transfer System (ATS) attacks on banks via PIX transactions, which is a popular payment method supported and used by several banks in Brazil.

Evading detection

• Its code is based on Auto.js, an automation platform used for developing Android applications, with an on-device JavaScript interpreter, complicating reverse engineering efforts. 
• It allows the automation of tasks such as simulating touch-based interactions, entering text, and scrolling across lists, all wrapped under a heavy layer of code obfuscation.
• In addition, the developers use evasion techniques such as control flow flattering, and string array encoding, along with garbage functions and variable names.

What more

• PixPirate uses HTTP for its C2 server communications, while for data transfer and exchange, it uses JSON format.
• The developer further leverages the certificate pinning technique to protect its communications from man-in-the-middle attacks.

Ending notes