The mobile banking landscape is under siege. Cybercriminals are no longer relying solely on desktop-based campaigns; they have shifted their focus to the device that never leaves your pocket. Recent intelligence reveals the emergence of six distinct Android malware families specifically engineered to siphon funds from Pix payments, drain banking applications, and plunder cryptocurrency wallets.
At Security Arsenal, we are tracking this evolution with concern. These aren't simplistic scripts; they are sophisticated Remote Access Trojans (RATs) and banking trojans capable of bypassing multi-factor authentication (MFA) and intercepting one-time passwords (OTPs) in real-time.
The Threat Landscape: PixRevolution, SURXRAT, and Beyond
The malware families identified—PixRevolution, TaxiSpy RAT, BeatBanker, Mirax, Oblivion RAT, and SURXRAT—represent a convergence of traditional banking trojans and full-fledged remote administration tools.
PixRevolution acts as a specialized harvester for the Pix instant payment system, popular in Brazil and expanding globally. It utilizes overlay attacks to trick users into entering credentials on fake screens that sit on top of legitimate banking apps. Meanwhile, SURXRAT and TaxiSpy offer comprehensive backdoor capabilities. Once installed, they grant attackers total control over the device, enabling them to:
- Record audio and video via the microphone and camera.
- Track GPS location to correlate physical movements with transaction times.
- Intercept SMS messages to hijack 2FA codes.
- Exfiltrate contact lists to propagate the malware through smishing (SMS phishing).
TTPs and Attack Vectors
The primary infection vector for these families remains social engineering. Attackers distribute these payloads via malicious links sent through SMS, WhatsApp, or phishing emails impersonating legitimate delivery services or financial institutions.
The core enabler of these trojans is the abuse of Android’s Accessibility Services. By masquerading as a utility app (e.g., a flashlight or PDF reader) and requesting accessibility permissions, the malware gains the ability to read the screen and programmatically click buttons. This allows the malware to automate the transfer of funds, approve transactions, and disable security settings without the user's knowledge.
Detection and Threat Hunting
Defending against these threats requires visibility into mobile endpoints and the ability to detect suspicious behaviors, such as the unauthorized request for Accessibility Services or unusual network traffic originating from finance apps.
Below are detection methodologies for your SOC team.
KQL Query for Sentinel/Defender for Endpoint
This query hunts for Android devices where non-system applications are requesting high-risk Accessibility Services.
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ActionType contains "AccessibilityService" or ActionType contains "PermissionChange"
| where InitiatingProcessFileName !in ("com.android.systemui", "com.google.android.gms")
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, ActionType, FolderPath
| order by Timestamp desc
Python Script for Manifest Analysis
This Python script scans a directory of extracted Android APK manifests to identify apps declaring the BIND_ACCESSIBILITY_SERVICE permission—a critical indicator for potential banking trojans.
import os
import xml.etree.ElementTree as ET
def check_accessibility_permission(manifest_path):
"""Checks if AndroidManifest.xml requests Accessibility Service."""
try:
tree = ET.parse(manifest_path)
root = tree.getroot()
namespace = {'android': 'http://schemas.android.com/apk/res/android'}
# Check for the dangerous permission
permissions = root.findall('uses-permission', namespace)
for perm in permissions:
perm_name = perm.get(f'{{{namespace["android"]}}}name')
if 'BIND_ACCESSIBILITY_SERVICE' in perm_name:
return True
# Check for service declaration claiming to be an accessibility service
services = root.findall('application/service', namespace)
for service in services:
intent_filters = service.findall('intent-filter', namespace)
for intent in intent_filters:
actions = intent.findall('action', namespace)
for action in actions:
action_name = action.get(f'{{{namespace["android"]}}}name')
if 'android.accessibilityservice.AccessibilityService' in action_name:
return True
except Exception as e:
print(f"Error parsing {manifest_path}: {e}")
return False
# Example usage: scanning a directory of manifests
directory = 'extracted_apks_manifests'
for filename in os.listdir(directory):
if filename.endswith('.xml'):
filepath = os.path.join(directory, filename)
if check_accessibility_permission(filepath):
print(f"[!] POTENTIAL THREAT: Accessibility Service found in {filename}")
else:
print(f"[-] Clean: {filename}")
Mitigation Strategies
To protect your organization and personal devices from these aggressive banking trojans, we recommend the following actionable steps:
- Restrict Sideloading: Enforce policies that prevent the installation of apps from unknown sources (sideloading) on corporate devices.
- Vet Accessibility Apps: Scrutinize any app requesting Accessibility Services. If a flashlight app needs these permissions, it is almost certainly malicious.
- Mobile Threat Defense (MTD): Deploy a dedicated MTD solution that can detect overlay attacks and known malware signatures in real-time.
- User Education: Train users to recognize smishing attacks. Remind them that banks will never ask them to install a security certificate or an app via a link in a text message.
Conclusion
The diversification of malware families targeting Pix and crypto assets signals a lucrative future for mobile financial fraud. By understanding the TTPs—specifically the abuse of Accessibility Services—and implementing robust hunting queries, security teams can stay one step ahead of these digital pickpockets.
Related Resources
Security Arsenal Alert Triage Automation AlertMonitor Platform Book a SOC Assessment platform Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.