Check Point Research (CPR) has detected cyber-attacks against the users of PIX, the instant payment solution created and managed by the Central Bank of Brazil.
The attackers distributed two different variants of banking malware, named PixStealer and MalRhino, through two separate malicious applications on Google’s Play Store to carry out their attacks. Both malicious applications were designed to steal money of victims through user interaction and the original PIX application.
The first variant is dubbed PixStealer. Presented in what CPR calls a ‘slim’ form, the attackers designed PixStealer with only one capability: transfer a victim’s funds to an actor-controlled account. PixStealer’s ‘slim’ presentation is a reference to the variant’s ability to operate without connection to a command and control (C&C) server, fostering ability to go undetected. CPR ultimately found PixStealer being distributed on Google’s Play Store as a fake PagBank Cashback service, targeting only the Brazilian PagBank.
When a user opens their PIX bank application, Pixstealer shows the victim an overlay window, where user can’t see the attacker’s moves. Behind the overlay window, the attacker retrieves the available amount of money and transfers the money, often the entire account balance, to another account.
CPR went onto find a more advanced banking malware variant, capable of hijacking the entire PIX mobile application and other bank applications.
Comments