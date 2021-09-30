These fake Android apps exploit Brazilian companies for theft via Pix
The popularity of Pix, the Central Bank system that allows automatic transfers between people, is attracting many criminals. And in addition to robberies and hijackings, they are now also operating from malware.
A survey conducted by the intelligence division of Check Point Software, a company providing solutions for Global cybersecurity detected cyber attacks targeting users’ Pix access. These scams are carried out from two banking malware distributed by criminals from malicious apps available on the Google Play Store. According to the study, the pests are called
PixStealer and
MalRhino and were identified in two fake apps: PagBank Cashback (the company’s cashback is carried out in its own app, which is just called PagBank) and iToken for Banco Inter, both trying to pretend to be applications related to Brazilian companies.
Check Point’s research also states that these viruses are evolutions of a well-known Brazilian family of banking malware and that they have already been distributed on the Google Play Store, but now with new functions that allow the theft of victims’ money from transactions via Pix.
How threats work
The
PixStealer, considered by Check Point’s research as a light malware, as it only acts on the malicious application in which it is distributed, has only one feature: transfer the victim’s funds to an account controlled by the attacker. It can also operate without the need to connect to a command and control server, thus being able to go unnoticed by many antiviruses.
According to Check Point, PixStealer was being distributed from a fake PagBank Cashback application, which targeted users of PagBank bank services. The first time the malicious program is opened, it asks the device owner asking him to grant accessibility permissions for the app, justifying that this step is necessary to enable the “cashback” function present in the service.
After the accessibility permission has been granted, when the user opens their PagBank application to access the PIX, PixStealer shows the victim a pop-up window, in which the user cannot see the attacker’s movements . Behind the overlay window, the attacker retrieves the amount of money available, and in most cases, transfers the entire amount to another account.
The second malware identified by the survey is called MalRhino
MalRhino, when first run, just like PixStealer, displays a message to its trying victim. convince her to grant accessibility permission. Once granted access, MalRhino can collect the installed app and send the list to the command and control (C&C) server with the victim’s device information, run banking apps and specifically retrieve the Nubank app pin .
MalRhino was found by Check Point in a fake iToken app for the Brazilian Interbank and which was also distributed by Play Store. At the end of this article, both apps were no longer available on the Google app store.
For Lotem Finkelsteen, Threat Intelligence Manager at Check Point Software, we are living in a time when that in order to carry out financial scams, cybercriminals only need to understand the platforms that banks use and their respective pitfalls. Finkelsteen recommends, so that users can defend themselves, removing malicious apps if they are installed on their devices and also paying more attention when downloading any financial apps from the app stores, as they may be fake apps.
Canaltech contacted Google asking how malicious apps like iToken and PagBank Cashback were made available on Play Store. Until the publication of the article, the company had not yet sent us an answer. As soon as we receive a placement, we'll update the content.
Source: Check Point
