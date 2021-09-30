The popularity of Pix, the Central Bank system that allows automatic transfers between people, is attracting many criminals. And in addition to robberies and hijackings, they are now also operating from malware.

A survey conducted by the intelligence division of Check Point Software, a company providing solutions for Global cybersecurity detected cyber attacks targeting users’ Pix access. These scams are carried out from two banking malware distributed by criminals from malicious apps available on the Google Play Store. According to the study, the pests are called

PixStealer and

MalRhino and were identified in two fake apps: PagBank Cashback (the company’s cashback is carried out in its own app, which is just called PagBank) and iToken for Banco Inter, both trying to pretend to be applications related to Brazilian companies.

Check Point’s research also states that these viruses are evolutions of a well-known Brazilian family of banking malware and that they have already been distributed on the Google Play Store, but now with new functions that allow the theft of victims’ money from transactions via Pix.

How threats work

Main screen of the fake application where PixStealer is distributed. (Image: Playback/Check Point Software)

The

PixStealer, considered by Check Point’s research as a light malware, as it only acts on the malicious application in which it is distributed, has only one feature: transfer the victim’s funds to an account controlled by the attacker. It can also operate without the need to connect to a command and control server, thus being able to go unnoticed by many antiviruses.

According to Check Point, PixStealer was being distributed from a fake PagBank Cashback application, which targeted users of PagBank bank services. The first time the malicious program is opened, it asks the device owner asking him to grant accessibility permissions for the app, justifying that this step is necessary to enable the “cashback” function present in the service.

After the accessibility permission has been granted, when the user opens their PagBank application to access the PIX, PixStealer shows the victim a pop-up window, in which the user cannot see the attacker’s movements . Behind the overlay window, the attacker retrieves the amount of money available, and in most cases, transfers the entire amount to another account.