Ddos 
PixPirate new infection methodology | Image: IBM Trusteer
A new iteration of the PixPirate malware has been detected by IBM Trusteer researchers, marking the resurgence of a highly sophisticated threat originally observed in 2021. The malware, known for targeting financial services, has evolved significantly, leveraging WhatsApp as a primary vector for its propagation.
Initially focused on Brazil’s Pix payment services, PixPirate has expanded its reach to countries like India, Italy, and Mexico. IBM Trusteer noted, βthe largest number of infections in Brazil (almost 70% of all infections), but with an additional reach that expanded to other markets in the world, including India and most recently Italy and Mexico. Outside of Brazil, India is the next-most infected country by PixPirate, with nearly 20% of the total infections in the world.β
Indiaβs Unified Payments Interface (UPI) appears to be a potential target due to its widespread use. Researchers caution that PixPirateβs expansion signals a broader threat, with its campaign likely to grow globally.
PixPirate operates through a two-component system: the downloader and the droppee. The downloader disguises itself as a legitimate financial application and handles the installation and execution of the droppeeβPixPirateβs core malware.
Key innovations in the new campaign include:
- YouTube-Based Social Engineering: The downloader directs victims to a YouTube tutorial, simulating a legitimate installation process for financial applications. The video, which has over 78,000 views, misleads users into granting permissions for the droppee.
- WhatsApp Integration: Once installed, the malware spreads via malicious WhatsApp messages sent from the victimβs account. As IBM Trusteer highlighted, βWhatsApp messages look more legitimate and reliable than SMS messagesβ¦ especially when received from a known contact.β
- Advanced Obfuscation: The malware hides its icon from the deviceβs home screen, making manual removal difficult. The downloader retains control, executing the hidden droppee using Android APIs.
The PixPirate downloader includes a WhatsApp APK in its assets, installing it on devices where the app is absent. This functionality enables the malware to exploit WhatsAppβs trust-based ecosystem by:
- Sending and deleting messages.
- Adding, modifying, or deleting contacts.
- Creating groups and spamming them with malicious links.
To evade detection during this activity, PixPirate overlays the screen, effectively hiding its operations from the user. βThe PixPirate malware uses an overlay technique to hide the device screen, so the victim wonβt notice the malware is using the WhatsApp app,β the report explained.
To mitigate the risks posed by PixPirate, IBM Trusteer recommends:
- Avoid Installing Apps from Unknown Sources: Only download apps from official stores like Google Play.
- Verify Messaging Links: Be cautious of unsolicited links, even when received from trusted contacts.
- Monitor Permissions: Regularly review app permissions and revoke unnecessary access.
- Educate Users: Raise awareness about social engineering tactics, especially during app installations.
Related Posts:
- PixPirate Malware Evades Detection with Innovative Hiding Technique
- Beware: Hackers Use Google Drawings & WhatsApp Links to Steal Data
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
