PixRevolution Android trojan hijacks Brazil’s instant payments

Brazil's popular instant payment system, PIX, which processes billions of transactions monthly, is now facing a new threat named PixRevolution. This sophisticated Android malware hijacks payments in real-time by employing an agent-in-the-loop model, where a human or AI operator monitors the victim's screen, as reported by HackRead.

The PixRevolution malware operates by displaying a fake "Aguarde..." (please wait) loading screen when a user initiates a PIX transfer. While the victim sees the spinner, the malware secretly replaces the recipient's key with the attacker's details and simulates a confirmation tap. This exploits PIX's instant and irrevocable nature, making stolen funds irretrievable. Infections typically begin with users downloading dropper apps from fake app stores mimicking legitimate services like Google Play, postal services, or government courts. These apps then trick users into enabling Accessibility Services, granting the malware the ability to read screens and interact with other applications.

The effectiveness of PixRevolution lies in its real-time, human-operated nature, making it difficult for traditional signature-based security solutions to detect. The malware's ability to mimic legitimate banking interfaces and monitor for over 80 Portuguese banking phrases across 10 major banks highlights the evolving sophistication of mobile threats.

Source: HackRead