Do Son 
PixRevolution attack flow | Image: zLabs
Cybersecurity experts at Zimperium’s zLabs have unmasked a high-stakes mobile threat named “PixRevolution,” a novel Android banking trojan engineered to hijack transactions on Brazil’s dominant instant payment platform, PIX. With over 150 million registered users, the PIX system has become a primary target for “organized, professional mobile fraud” due to its instant and irrevocable nature.
Unlike traditional banking trojans that rely on automated scripts, PixRevolution employs a sophisticated “agent-in-the-loop” model. This design allows a human or AI operator to watch the victim’s screen in near real-time, waiting for the precise moment to strike.
“What distinguishes this threat from conventional banking trojans is its fundamental design: a human or AI agent operator is actively engaged on the remote end, observing the victim’s phone screen instantaneously, poised to act at the precise moment of transaction“.
By utilizing an active observer, the malware effectively sidesteps the need to update code for every UI change in various banking apps—if a human can see the button, the trojan can click it.
The attack is described by researchers as a meticulously “orchestrated sequence”:
- The Trap: Victims are lured through fake Google Play Store pages that are “perfect replicas of legitimate listings” for popular apps like Expedia or the Brazilian Postal Service (Correios).
- Gaining Control: Once installed, the app uses social engineering to trick users into enabling Android’s Accessibility Services. This grants the trojan “the keys to the kingdom,” allowing it to read all text on the screen and perform gestures like taps and swipes.
- Real-Time Surveillance: The malware establishes a persistent TCP connection to a command-and-control (C2) server and begins streaming JPEG frames of the device’s screen back to the operator.
- The Hijack: When the victim initiates a PIX transfer, the operator sends a command to replace the intended recipient’s key with the attacker’s. A fake “Aguarde…” (Please wait) overlay is displayed to blind the user for just a few seconds while the swap occurs.
- The Vanishing Act: The overlay disappears, and the victim sees a “transfer complete” screen. They remain unaware that their funds have been diverted until it is often too late to recover them.
The level of operational polish in PixRevolution is significant. The malware contains hardcoded logo URLs for 10 major Brazilian financial institutions, including Nubank, Itaú, and Banco do Brasil.
“The bank logos found in the code are not detection triggers. They are thematic assets… It is a detail that speaks to operational polish“.
Furthermore, the trojan monitors for over 80 Portuguese-language phrases related to financial activity, firing structured alerts to the C2 whenever keywords like “pix enviado” (pix sent) appear on the screen.
Because PIX transactions settle in seconds and lack a chargeback window, researchers emphasize that recovery is “extraordinarily difficult”.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
