{
	"id": "b92ad16e-ebce-426e-a20b-83ec9b566903",
	"created_at": "2026-04-06T00:10:04.089775Z",
	"updated_at": "2026-04-10T03:30:33.52135Z",
	"deleted_at": null,
	"sha1_hash": "99a380b904f8132be1a3bf3592d2de7757216997",
	"title": "PixPirate back spreading via WhatsApp",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4993748,
	"plain_text": "PixPirate back spreading via WhatsApp\r\nBy Nir Somech\r\nPublished: 2024-11-26 · Archived: 2026-04-05 18:25:36 UTC\r\nNir Somech\r\nMalware Researcher – Trusteer IBM\r\nThis blog post is the continuation of a previous blog regarding PixPirate malware. If you haven’t read the initial\r\npost, please take a couple of minutes to get caught up before diving into this content.\r\nPixPirate malware consists of two components: a downloader application and a droppee application, and both are\r\ncustom-made and operated by the same fraudster group. Although the traditional role of a downloader is to install\r\nthe droppee on the victim device, with PixPirate, the downloader also runs the droppee. Without this operation by\r\nthe PixPirate downloader, the droppee, i.e. the malware itself, would never run. In addition, the PixPirate\r\ndownloader can send commands to the droppee for execution and has an active role in the droppee activities and\r\noperations.\r\nIn the most basic terms, the PixPirate downloader pretends to be a legitimate authentication application that helps\r\nusers secure their bank accounts.\r\nhttps://securityintelligence.com/posts/pixpirate-back-spreading-via-whatsapp/\r\nPage 1 of 11\n\nPixPirate downloader function responsible for getting droppee launching activity\r\nThe PixPirate downloader doesn’t exist in the Google Play Store, but it spreads through Smishing campaigns or a\r\nWhatsApp spam message from an infected user. In these cases, the victim is tricked into downloading and\r\ninstalling the downloader application. As it runs, the downloader prompts the target victim that there is an updated\r\nversion of the application and asks for permission to install other untrusted apps, as a way to install the related\r\nPixPirate droppee.\r\nThe new PixPirate campaign\r\nhttps://securityintelligence.com/posts/pixpirate-back-spreading-via-whatsapp/\r\nPage 2 of 11\n\nPixPirate downloader function that runs and executes PixPirate dropped\r\nIn recent months, the Trusteer research lab monitored and detected a new campaign of PixPirate running in Brazil,\r\nand directly attacking Brazilian banks. At the time of this blog, PixPirate still primarily targets the Pix payment\r\nservices that are integrated with most Brazilian banking apps.\r\nIn the current PixPirate campaign, Trusteer noticed the largest number of infections in Brazil (almost 70% of all\r\ninfections), but with an additional reach that expanded to other markets in the world, including India and most\r\nrecently Italy and Mexico. Outside of Brazil, India is the next-most infected country by PixPirate, with nearly\r\n20% of the total infections in the world. Although no Indian banks appear in the PixPirate target list, the Trusteer\r\nresearch lab assumes the malware developers are laying the foundation for future campaigns in India. One\r\nassumption for the infection spread in India is the widespread use of India’s Unified Payments Interface (UPI)\r\nhttps://securityintelligence.com/posts/pixpirate-back-spreading-via-whatsapp/\r\nPage 3 of 11\n\ninstant payment service. The UPI is utilized by hundreds of millions of consumers in India, where it has become\r\nthe country’s standard payment platform, and is regulated by the Reserve Bank of India (RBI).\r\nPixPirate droppee installation made easy\r\nThe newly identified PixPirate campaign also includes a new version of the downloader, which includes a link to a\r\nYouTube video that explains and demonstrates to the target victim how to unknowingly install the droppee\r\nAndroid package kit (APK) and grant all the necessary permissions and capabilities in order to fully execute on\r\nthe victim’s device. The YouTube video simulates a legit tutorial video explaining to the user how to install a\r\nlegitimate financial service app, and to date has more than 78,000 views providing some scope of the infection’s\r\nreach, assuming every YouTube viewer has followed through and unknowingly installed the PixPirate malware.\r\nIn the video, a user launches the downloader app for the first time, which simulates being a legitimate financial\r\nservices application. The PixPirate downloader then asks the user to install an updated version of itself. Once the\r\ninstallation is complete, the victim has actually installed a new malicious application, rather than simply\r\nupgrading the downloader. This new app – the droppee app – is in fact the PixPirate malware. The PixPirate\r\nmalware then remains incognito to the user by having no icon on the home screen of the infected device.\r\nAs discussed in the previous PixPirate blog, remaining incognito to the user has many advantages, including\r\ngiving the PixPirate malware a better chance to sustain a long infection period with the ability to conduct financial\r\nfraud. However, this also introduces a problem – without an icon, the victim cannot “start” or activate the malware\r\nmanually, so who will do it? That’s where the PixPirate downloader comes back into play, as the resource that is\r\nresponsible for running the malware. The previous Trusteer blog post described the innovative way the PixPirate\r\ndownloader ran the droppee, but in this current campaign, Trusteer has detected a new way the downloader\r\nexecutes the malware, as described in the next section.\r\nThe latest tech news, backed by expert insights\r\nStay up to date on the most important—and intriguing—industry trends on AI, automation, data and beyond with\r\nthe Think Newsletter, delivered twice weekly. See the IBM Privacy Statement.\r\nNew PixPirate droppee new execution method\r\nThe previous Trusteer blog post assessed the method used by the PixPirate droppee to hide its icon and, as a result,\r\nthe special technique used by the downloader in order to run the droppee. In the new PixPirate campaign, the\r\ndownloader uses a new method for launching the droppee.\r\nIn the new method, the downloader maintains the execution role of the invisible droppee. The droppee holds in the\r\nmanifest activity with an intent filter with one of the following unique action names:\r\n“com.ticket.stage.Service”\r\n“com.ticket.action.Service”\r\n“com.sell.allday.Service”\r\nhttps://securityintelligence.com/posts/pixpirate-back-spreading-via-whatsapp/\r\nPage 4 of 11\n\nWhen the PixPirate downloader wants to run the correlated droppee, the first thing it needs to do is to get the\r\ndroppee activity holding this specific unique action and the droppee’s package name. To do that, the downloader\r\nuses the API “queryIntentActivities(android.content.Intent, int)” with an argument of the intent with the desired\r\naction name. This function retrieves a list of all activities that hold an intent filter for the given intent. It returns a\r\nlist of “ResolveInfo” objects containing one entry for each matching activity.\r\nWe can see in the image below the function that is responsible for returning a list of all intents for all the activities\r\nof packages that contain one of the action names mentioned above. The PixPirate downloader starts with a for\r\nloop over a list of activity action names belonging to the PixPirate droppee using a call to the\r\n“queryIntentActivities” API. This API returns a list of “ResolveInfo” objects containing all activities with one of\r\nthe droppee action names. For each “ResolveInfo” object returned it creates an intent with the corresponding\r\nactivity name and package name and stores it in an array. This array is returned by the function.\r\nhttps://securityintelligence.com/posts/pixpirate-back-spreading-via-whatsapp/\r\nPage 5 of 11\n\nPixPirate new infection methodology\r\nIn the following function, we can see in the for loop a call to the function “get_potential_droppee_packagenames”\r\nthat is responsible for returning a list of all intents for all activities of packages that contain one of the droppee\r\naction names. Then, it validates that the package name related to the returned intent is really the droppee package.\r\nIf so, it adds other relevant and necessary data to the intent and uses\r\nthe “startActivity(android.content.Intent)” API to start the relevant droppee activity and perform the action of\r\nrunning the droppee.\r\nWhatsApp: Key player in PixPirate malware spreading technique\r\nAs part of the installation flow of PixPirate downloader on a device, the downloader checks to see if the\r\nWhatsApp instant messaging app is installed. The downloader contains in its “assets” folder the “WhatsApp”\r\nAPK, so if the WhatsApp application is not installed on the victim’s device, the malware pushes the victim to\r\ninstall it.\r\nFigure 5: Downloader assets.\r\nWe can see in the image above the “assets” folder of the downloader APK, where “wsv2.jpeg” stands for\r\nWhatsApp APK. The other files are different versions of the droppee APKs.\r\nDue to the size of the WhatsApp APK, we see the downloader is almost 100MB. Comparatively, the WhatsApp\r\nAPK is abnormally large compared to other common finance malware downloaders that have relatively small\r\ncode sections and little functionality, as they generally aim to only download and install the droppee (and not run\r\nthem).\r\nThe PixPirate Droppee uses the WhatsApp app to send malicious phishing messages through a victim’s WhatsApp\r\naccount with the intent to spread itself and infect other devices. The malware has the ability to read the contact list\r\nhttps://securityintelligence.com/posts/pixpirate-back-spreading-via-whatsapp/\r\nPage 6 of 11\n\nof the victim, in addition to being able to add contacts, and then can send WhatsApp messages to a victim’s\r\ncontacts or even WhatsApp groups to further the spread and infect more users.\r\nThe new capabilities and functionality related to the WhatsApp app can include:\r\nSending messages\r\nDeleting messages\r\nCreating groups and sending messages\r\nReading and deleting the user contact list\r\nAdding and changing the user contact list\r\nBlocking and unblocking other WhatsApp user accounts\r\nWhile the WhatsApp messages are sending, the PixPirate malware uses an overlay technique to hide the device\r\nscreen, so the victim won’t notice the malware is using the WhatsApp app.\r\nhttps://securityintelligence.com/posts/pixpirate-back-spreading-via-whatsapp/\r\nPage 7 of 11\n\nFigure 6: PixPirate new infection methodology.\r\nIt should be noted that sending WhatsApp phishing messages is an extremely effective tool for attackers to spread\r\nand infect other victims, for a couple of reasons:\r\n1. WhatsApp messages look more legitimate and reliable than SMS messages. Smishing is an already well-known technique by fraudsters and attackers to spread spam and malicious content, and users are aware of\r\nthose types of malicious threats. However, that precaution and awareness is not as pronounced with\r\nWhatsApp messages.\r\n2. As opposed to smishing attacks, where the sender tends to be unknown to the victim which can raise their\r\nsuspicions, messages received via WhatsApp are often sent from a known contact, which gives the\r\nrecipient a false sense of security that the message is legitimate.\r\nUsing WhatsApp helps foster PixPirate infections and spread the malware to more victims and devices, even if\r\nthey are not potential intended targets.\r\nSending a WhatsApp message\r\nIn the image below, the PixPirate function that is responsible for sending WhatsApp messages from the victim\r\naccount is clearly visible. Note that the function gets three parameters:\r\nContact list – a list of contacts to send the malicious WhatsApp message\r\nmessagesArr – array of messages to send\r\nsleepTime – time to wait between each message sending\r\nThe malware then uses the phone number from the victim’s contact list and uniquely creates an intent where the\r\ndata field contains the key for sending a WhatsApp message to the targeted phone number with the text it would\r\nlike to send. In the package message, PixPirate sets the package name of the WhatsApp application\r\n(“com.whatsapp”) and then it triggers the sending message action by starting the activity using the intent it just\r\ncreated.\r\nhttps://securityintelligence.com/posts/pixpirate-back-spreading-via-whatsapp/\r\nPage 8 of 11\n\nFigure 7: Malware creating a WhatsApp message.\r\nIn the next image, after the message to be sent via PixPirate has been created, the malware locates the “send”\r\nbutton and it abuses the device’s Accessibility service to click on it, just like a human user would, to send the\r\nWhatsApp message to the intended recipients.\r\nhttps://securityintelligence.com/posts/pixpirate-back-spreading-via-whatsapp/\r\nPage 9 of 11\n\nFigure 8: Malware sending WhatsApp message function.\r\nSummary\r\nPixPirate is a dangerous remote access tool (RAT) malware campaign first seen in late 2021, but which has\r\nrecently returned via a new campaign infecting users primarily in Brazil and India, with campaigns beginning to\r\nappear in Italy and Mexico. PixPirate’s threats and malicious activities are based on the malware’s unique\r\naccessibility capabilities, including being a RAT and having remote-control capabilities to ensure automatic fraud\r\nexecution, theft of user data, spreading through WhatsApp messages, hiding and anti-removal, intercepting SMS,\r\nrecording user activities and more. The malware also holds some anti-virtual machine (anti-vm) and obfuscation\r\ncapabilities.\r\nThis latest iteration of the PixPirate malware also uses a new hiding technique to conceal its existence on the\r\ndevice, including hiding its icon on the home screen.\r\nEarly on in the malware’s lifecycle, PixPirate was identified only in Brazil, targeting Pix payment services and\r\nBrazilian banks. Today, however, the new PixPirate version and campaign identified by Trusteer Lab has spread to\r\nother regions in the world, with a specific focus on India. Although Trusteer hasn’t observed any Indian targets to\r\ndate, our assumption is this is only the beginning of this heavily maintained malware, to the point that we may see\r\nPixPirate outgrow its name in the future.\r\nhttps://securityintelligence.com/posts/pixpirate-back-spreading-via-whatsapp/\r\nPage 10 of 11\n\nIOCs\r\nDownloader SHA256: 1196c9f7102224eb1334cef1b0b1eab070adb3826b714c5ebc932b0e19bffc55\r\nDroppee SHA256: d723248b05b8719d5df686663c47d5789c323d04cd74b7d4629a1a1895e8f69a\r\nSource: https://securityintelligence.com/posts/pixpirate-back-spreading-via-whatsapp/\r\nhttps://securityintelligence.com/posts/pixpirate-back-spreading-via-whatsapp/\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://securityintelligence.com/posts/pixpirate-back-spreading-via-whatsapp/"
	],
	"report_names": [
		"pixpirate-back-spreading-via-whatsapp"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434204,
	"ts_updated_at": 1775791833,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/99a380b904f8132be1a3bf3592d2de7757216997.pdf",
		"text": "https://archive.orkl.eu/99a380b904f8132be1a3bf3592d2de7757216997.txt",
		"img": "https://archive.orkl.eu/99a380b904f8132be1a3bf3592d2de7757216997.jpg"
	}
}