PixRevolution is a novel Android banking trojan that streams victims’ screens in real time and uses an operator (human or AI) to replace PIX recipients during a transfer, redirecting funds instantly. It is distributed via convincing fake Google Play Store pages and impersonated Brazilian brands, exploiting Accessibility and MediaProjection APIs to operate stealthily and evade signature-based detection. #PixRevolution #PIX
Keypoints
- PixRevolution streams the victim’s screen via Android MediaProjection and provides an operator real-time visibility to intercept PIX transfers at confirmation.
- The trojan replaces the intended PIX recipient by injecting the attacker’s PIX key using Accessibility APIs (ACTION_SET_TEXT) and confirms the transaction via simulated gestures (dispatchGesture).
- Distribution relies on fake Google Play Store pages and impersonation of trusted Brazilian brands (Expedia, Correios, Sicredi, STJ, AVG, etc.) with multi-stage droppers embedding assets/update.apk installed via PackageInstaller API.
- The malware monitors over 80 Portuguese transaction-related phrases (base64-encoded) to detect when a financial transfer is occurring and sends structured alerts to C2 when keywords match.
- Persistent TCP C2 communication (port 9000 with heartbeats) and a secondary HTTP telemetry endpoint (port 3030) support operator control and screen streaming; foreground MediaProjection persistence ensures ongoing capture.
- PixRevolution is bank-agnostic by design, contains hardcoded bank logo assets for major Brazilian institutions (e.g., Nubank, Itaú, Banco do Brasil), and poses high-impact risk due to PIX’s instant, irrevocable transfers.
MITRE Techniques
- [T1476 ] Deliver Malicious App via Other Means – Fake Google Play Store pages hosted on attacker-controlled domains distribute malicious APKs directly to victims (‘…fake Google Play Store pages hosted on domains they control…’)
- [T1660 ] Phishing – Attacker-controlled domains impersonate trusted Brazilian brands (Expedia, Correios, STJ) to lure users into installing malicious apps (‘…impersonating several well-known Brazilian entities…’)
- [T1541 ] Foreground Persistence – Starts a foreground service for MediaProjection screen capture to maintain persistent access and survive background termination (‘…Starts a foreground service for MediaProjection screen capture…’)
- [T1655.001 ] Masquerading: Match Legitimate Name or Location – Dropper APKs impersonate well-known brands and use convincing app icons and descriptions to appear legitimate (‘…impersonate well-known brands (Expedia, Correios, AVG Antivirus)…’)
- [T1628.001 ] Hide Artifacts: Suppress Application Icon – Dropper conceals itself after silently installing the RAT payload via PackageInstaller API to avoid user detection (‘…silently install the actual RAT payload… the dropper conceals itself…’)
- [T1426 ] System Information Discovery – Heartbeat messages to C2 include device ID, battery level, and network type to profile victim devices (‘…heartbeat messages that include the device ID, battery level, and network type…’)
- [T1513 ] Screen Capture – Uses MediaProjection API to create a virtual display, capture screen frames as bitmaps, compress to JPEG, and stream to C2 in real time (‘…creates a virtual display that mirrors the device screen… streams it to the C2 server…’)
- [T1417 ] Input Capture – Accessibility service with typeAllMask configuration reads all text visible on screen across every application (‘…accessibility configuration requests typeAllMask… it receives notifications about every UI change… can read all text visible on screen…’)
- [T1437 ] Application Layer Protocol – Persistent TCP connection to C2 on port 9000 with heartbeat keepalives and a secondary HTTP endpoint on port 3030 for telemetry (‘…persistent TCP connection to a C2 server on port 9000… secondary HTTP endpoint on port 3030…’)
- [T1516 ] Input Injection – Uses performAction(ACTION_SET_TEXT) to replace PIX recipient and dispatchGesture() to simulate confirmation tap, hijacking transactions behind a full-screen overlay (‘…performAction(ACTION_SET_TEXT) … dispatchGesture() … full-screen “Aguarde…” overlay…’)
Indicators of Compromise
- [Domains ] Fake Google Play Store pages used to distribute dropper APKs – attacker-controlled fake Play Store domains (examples not listed in report) and other dedicated distribution domains observed.
- [File names ] Embedded dropper payload and installer artifacts – assets/update.apk (embedded RAT), dropper APKs disguised as legitimate apps (e.g., Expedia, STJ).
- [App impersonation ] Impersonated app titles used in lures – Expedia: viagem, hotel, voo; Correios (Brazilian Postal Service); and other brand disguises like Sicredi and AVG Antivirus.
- [Network / Ports ] Command & Control endpoints and telemetry – persistent TCP C2 on port 9000, secondary HTTP endpoint on port 3030.
- [Brand assets / URLs ] Hardcoded bank logo URLs and bank codes used to theme overlays – examples: Nubank (code NU), Itaú (code I), Banco do Brasil (code B), and other bank logo URLs for 10 major Brazilian institutions.