Cybersecurity researchers discovered six Android malware families that steal data and enable financial fraud, including real time hijacking of Brazil’s Pix instant payments through fake app pages and abuse of Android accessibility and screen capture features.
KEY FACTS
- Incident Six Android malware families discovered targeting mobile users and financial services.
- Known families PixRevolution, TaxiSpy RAT, BeatBanker, Mirax, Oblivion RAT and SURXRAT.
- Delivery Fake Google Play listing pages and malicious dropper APKs that request accessibility permissions.
- Techniques Screen capture, WebView overlays, MediaProjection, accessibility abuse and Firebase or TCP command channels.
In a technical analysis, Zimperium said PixRevolution operates stealthily until a victim initiates a Pix transfer then captures the screen, sends heartbeat messages to a server on TCP port 9000, activates Android’s MediaProjection API and displays a fake WebView overlay reading ‘Aguarde…’ while it replaces the recipient Pix key to route funds to the attacker.
BeatBanker spreads via phishing pages disguised as the Google Play Store and uses an unusual persistence trick that plays a near inaudible audio file on loop to resist termination. The malicious package can include a cryptocurrency miner and a banking module that creates overlays for Binance and Trust Wallet to replace transaction addresses and uses Google’s Firebase Cloud Messaging for command and control (Kaspersky).
TaxiSpy RAT abuses accessibility and MediaProjection APIs to harvest SMS messages, contacts, call logs, clipboard contents, installed apps lists, notifications, lock screen PINs and keystrokes and to serve overlays that target regional banking and cryptocurrency apps. Other offerings include Mirax and Oblivion, which are marketed as malware as a service, and SURXRAT which is sold via a Telegram ecosystem and in some samples downloads a large language model component and a screen locker module that can deny device access (Cyble).
WHY IT MATTERS
The observed combinations of real time overlays, automated permission bypass and persistent remote control enable instant, often irreversible financial losses and prolonged device surveillance. These capabilities raise the risk for users who install apps from unofficial pages or grant broad accessibility rights to untrusted software.