PixPirate Resurfaces: Spreading via WhatsApp and Expanding Beyond Brazil
A new iteration of the PixPirate malware has been detected by IBM Trusteer researchers, marking the resurgence of a highly sophisticated threat originally observed in 2021. The malware, known for targeting financial services, has evolved significantly, leveraging WhatsApp as a primary vector for its propagation.
Initially focused on Brazil’s Pix payment services, PixPirate has expanded its reach to countries like India, Italy, and Mexico. IBM Trusteer noted, “the largest number of infections in Brazil (almost 70% of all infections), but with an additional reach that expanded to other markets in the world, including India and most recently Italy and Mexico. Outside of Brazil, India is the next-most infected country by PixPirate, with nearly 20% of the total infections in the world.”
India’s Unified Payments Interface (UPI) appears to be a potential target due to its widespread use. Researchers caution that PixPirate’s expansion signals a broader threat, with its campaign likely to grow globally.
PixPirate operates through a two-component system: the downloader and the droppee. The downloader disguises itself as a legitimate financial application and handles the installation and execution of the droppee—PixPirate’s core malware.
Key innovations in the new campaign include:
- YouTube-Based Social Engineering: The downloader directs victims to a YouTube tutorial, simulating a legitimate installation process for financial applications. The video, which has over 78,000 views, misleads users into granting permissions for the droppee.
- WhatsApp Integration: Once installed, the malware spreads via malicious WhatsApp messages sent from the victim’s account. As IBM Trusteer highlighted, “WhatsApp messages look more legitimate and reliable than SMS messages… especially when received from a known contact.”
- Advanced Obfuscation: The malware hides its icon from the device’s home screen, making manual removal difficult. The downloader retains control, executing the hidden droppee using Android APIs.
The PixPirate downloader includes a WhatsApp APK in its assets, installing it on devices where the app is absent. This functionality enables the malware to exploit WhatsApp’s trust-based ecosystem by:
- Sending and deleting messages.
- Adding, modifying, or deleting contacts.
- Creating groups and spamming them with malicious links.
To evade detection during this activity, PixPirate overlays the screen, effectively hiding its operations from the user. “The PixPirate malware uses an overlay technique to hide the device screen, so the victim won’t notice the malware is using the WhatsApp app,” the report explained.
To mitigate the risks posed by PixPirate, IBM Trusteer recommends:
- Avoid Installing Apps from Unknown Sources: Only download apps from official stores like Google Play.
- Verify Messaging Links: Be cautious of unsolicited links, even when received from trusted contacts.
- Monitor Permissions: Regularly review app permissions and revoke unnecessary access.
- Educate Users: Raise awareness about social engineering tactics, especially during app installations.
