Two recently discovered malicious Android apps have been used to target Brazil’s immediate payment ecosystem users in an apparent attempt to deceive victims into illicitly moving their entire bank balances into another bank account controlled by hackers.
According to Check Point Research, the attackers transmitted two different strains of banking malware to carry out their attacks. They are dubbed PixStealer and MalRhino and are distributed via two separate malicious apps.
Both apps were meant to steal money through user interaction and the authentic PIX app. The two suspicious applications were withdrawn from the app store soon after they were discovered in April 2021.
Pix is a state-owned payments network that allows individuals and businesses to transfer money from their bank accounts without the need for debit or credit cards. The Central Bank of Brazil launched it in November 2020.
PixStealer is meant to transfer cash from a victim’s account to an actor-controlled account. In contrast, MalRhino has sophisticated capabilities such as collecting a list of installed applications and retrieving PINs for certain banks.
When a user launches their PIX bank app, Pixstealer displays an overlay window where the victim can’t observe the attacker’s moves. Behind the overlay window, the attacker obtains the available funds and transfers them to another account, usually the whole account balance.
PixStealer and MalRhino have one thing in common: they both exploit Android’s accessibility service to execute malicious activities on infected devices, making them the latest in a long line of mobile malware that uses the privilege to steal data.
The false overlay displays a message that says, “Synchronizing your access… Do not switch off your mobile device.” But in reality, the virus looks for the “Transfer” button to conduct the transfer via different accessibility APIs.
The MalRhino version is also notable for employing Mozilla’s Java-based Rhino JS framework to execute JavaScript instructions within targeted banking apps, but only after convincing the user to enable accessibility services.
This method is not often used on mobile malware, but it demonstrates how threat actors are becoming more innovative in their attempts to escape detection and leverage Google Play. Because mobile banking malware is increasingly abusing the Accessibility Service, users should be careful about allowing the relevant permissions in apps downloaded from well-known app stores, like Google Play.
