Check Point Research (CPR) discovers cyber attacks on users of PIX, the instant payment system managed by the Brazilian Central Bank. Cyber criminals tricked users into transferring their entire account balances into another bank account, by distributing two malicious applications on Google’s Play Store.
- Attackers lure victims into installing fake malicious mobile applications
- Malicious mobile applications trick victims into granting accessibility permissions
- Once granted, attackers can access the PIX payment system and proceed to steal money
- The app has since been removed from Google’s Play Store
- Check Point recommends users remove the malicious apps from their mobile phones immediately
29th September 2021 – Check Point Research (CPR) detected cyber attacks against the users of PIX, the instant payment solution created and managed by the Brazilian Central Bank. The attackers distributed two different variants of banking malware, named PixStealer and MalRhino, through two separate malicious applications on Google’s Play Store to carry out their attacks. Both malicious applications were designed to steal money of victims through user interaction and the original PIX application.
PixStealer Funnels Entire Account Balances to Attacker Accounts
The first variant is dubbed PixStealer. Presented in what CPR calls a “slim” form, the attackers designed PixStealer with only one capability: transfer a victim’s funds to an actor-controlled account. PixStealer’s “slim” presentation is a reference to the variant’s ability to operate without connection to a command and control (C&C) server, fostering ability to go undetected. CPR ultimately found PixStealer being distributed on Google’s Play Store as a fake PagBank Cashback service, targeting only the Brazilian PagBank.
When a user opens their PIX bank application, Pixstealer shows the victim an overlay window, where user can’t see the attacker’s moves. Behind the overlay window, the attacker retrieves the available amount of money and transfers the money, often the entire account balance, to another account.
MalRhino Hijacks Banking Applications Entirely
CPR went onto find a more advanced banking malware variant, capable of hijacking the entire PIX mobile application and other bank applications. Dubbed MalRhino, CPR found the more advanced malware variant in a fake iToken app for Brazilian Inter Bank – also distributed via Google’s Play Store. MalRhino displays a message to its victim attempting to convince them to grant Accessibility permission. Once granted, MalRhino can:
- Collect the installed application and send the list to the C&C server together with the victim’s device info
- Run banks applications
- Retrieve pin from the Nubank application
Lotem Finkelsteen, Head of Threat Intelligence at Check Point Software Technologies:
“We live in a time where cyber criminals do not need to hack a bank to steal money. All a cybercriminal needs to do is understand the platforms that banks use and their respective pitfalls. There’s a growing trend where cyber criminals are going after the applications of institutional banks. This time, we found cyber attacks against the users of Brazil’s number one banking application. The attack involved two malicious apps, that at some point could be found on Google Play Store, but no longer. The attackers presented a slim version, which ran an overlay when using the legit application, and a full blown version that has capabilities to hijacking the entire banking application, eventually. We believe these cyber attacks to be a strong sign that cyber criminals are trending their activities around android banking malware, with the goal to transfer funds of victims to their own accounts. In a world where everything is done remotely due to coronavirus, We recommend users remove the malicious apps from their mobile phones immediately. I also strongly urge all users of bank applications to watch out for banking malware laced into mobile applications. CPR will continue to monitor the latest technological trends and how cyber criminals are taking advantage of them.”