Two malicious Android apps recently discovered on the Google Play Store have been used to target users of Brazil’s instant payment ecosystem with the likely aim of tricking victims into fraudulently transferring their entire account to another bank account under the control of cybercriminals.
âThe attackers distributed two different variants of banking malware, named PixStealer and MalRhino, via two separate malicious applications [â¦] to carry out their attacks “, Checkpoint Research said in an analysis shared with The Hacker News. “Both malicious apps were designed to steal money from victims through user interaction and the original PIX app.”
The two apps in question, discovered in April 2021, have since been removed from the App Store.
Launched in November 2020 by the Central Bank of Brazil, the country’s monetary authority, Pix is a state-owned payment platform that allows consumers and businesses to transfer money from their bank accounts without the need for debit or credit cards.
PixStealer, which was found distributed on Google Play as a fake PagBank Cashback service app, is designed to dump a victim’s funds into an account controlled by an actor, while MalRhino – masquerading as a mobile app from token for Brazilian bank Inter – comes with advanced features necessary to collect the list of installed applications and retrieve the PIN code for specific banks.
âWhen a user opens their PIX banking app, Pixstealer shows the victim an overlay window, where the user cannot see the attacker’s movements,â the researchers said. “Behind the overlay window, the attacker collects the amount of money available and transfers the money, often the entire account balance, to another account.”
What unites PixStealer and MalRhino is that the two apps abuse Android’s accessibility service to perform malicious actions on compromised devices, making it the latest addition to a long list of mobile malware that exploit authorization to commit data theft.
Concretely, the false overlay is accompanied by a message “Synchronizing your access … Do not turn off your mobile screen” when in reality, the malware is looking for the “Transfer” button to perform the transfer using of a series of accessibility APIs.
âThis technique is not commonly used on mobile malware and shows how malicious actors are getting innovative to avoid detection and break into Google Play,â the researchers said. âWith the increasing abuse of the accessibility service by mobile banking malware, users should be careful not to activate relevant permissions, even in apps distributed through well-known app stores such as Google Play. “