Hackers Target Brazil's PIX Payment System
Reading Time: 2 minutes

Hackers target Brazil’s PIX Payment System, using two malicious apps on Google Play Store to lure victims into the fraudulent transfer of their entire account balances into another bank account under their control.

According to CheckPoint researchers, “The attackers distributed two different variants of banking malware, named PixStealer and MalRhino, through two separate malicious applications […] to carry out their attacks. Both malicious applications were designed to steal the money of victims through user interaction and the original PIX application.”

PIX payment system was introduced by the Central Bank of Brazil in November 2020. It is a state-owned payments platform that enables consumers and companies to make money transfers from their bank accounts without requiring debit or credit cards.

The two apps distributed on Google Play Store included PixStealer and MalRhino. PixStealer is a fake PagBank Cashback service app designed to empty a victim’s funds to an actor-controlled account. MalRhino is used to simulate a mobile token app for Brazil’s Inter bank, it comes with advanced features necessary to collect the list of installed apps and retrieve PIN for specific banks.

The researchers said, “When a user opens their PIX bank application, Pixstealer shows the victim an overlay window, where the user can’t see the attacker’s moves. Behind the overlay window, the attacker retrieves the available amount of money and transfers the money, often the entire account balance, to another account.”

The common link between PixStealer and MalRhino is that both apps abuse Android’s accessibility service to perform malicious actions on the compromised devices. This makes them the newest apps added to the long list of mobile malware that leverages the permission to perform data theft.

The entire screen is hijacked by the fake overlay displays a message, “Synchronizing your access… Do not turn off your mobile screen”. While in the background, the malware searches for the “Transfer” button to perform the transaction with the help of accessibility APIs.

The MalRhino variant uses Mozilla’s Java-based Rhino JS framework to run JavaScript commands inside targeted banking applications, after convincing the user to turn on accessibility services.
The researchers further added, “This technique is not commonly used on mobile malware and shows how malicious actors are getting innovative to avoid detection and get inside Google Play.

With the increasing abuse of the Accessibility Service by mobile banking malware, users should be wary of enabling the relevant permissions even in the applications distributed via known app stores such as Google Play.”

Related Articles:

New Nagios Software Bugs Can Allow Hackers to Compromise your IT Infrastructures
Europol Busts A Major Crime Ring more Than 100 Online Fraudsters Arrested
Malware Attack on the Aviation Sector Went Unnoticed for 2 Years