{
	"id": "e641c0d4-2e4f-4f48-861e-f3d434a29ce4",
	"created_at": "2026-04-06T00:06:13.479244Z",
	"updated_at": "2026-04-10T03:30:33.301098Z",
	"deleted_at": null,
	"sha1_hash": "e9ef2e292bf26a3d62883215de51cd908c29c2f6",
	"title": "PixPirate: Brazilian financial malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 5347236,
	"plain_text": "PixPirate: Brazilian financial malware\r\nBy Nir Somech\r\nPublished: 2024-03-13 · Archived: 2026-04-05 17:05:07 UTC\r\nNir Somech\r\nMalware Researcher – Trusteer IBM\r\nMalicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The\r\nconstantly mutating PixPirate malware has taken that strategy to a new extreme.\r\nPixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research\r\ntechniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee.\r\nOperating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer\r\nresearchers have observed this malware attacking banks in Brazil.\r\nA hidden threat\r\nWithin IBM Trusteer, we saw several different techniques to hide malware from its victims. Most banking\r\nmalware conceals its existence on the mobile device by hiding its launcher icon from the victim using the\r\nSetComponentEnabeldSetting application programming interface (API). However, since Android 10, that\r\ntechnique no longer works due to new restrictions imposed by Google.\r\nTo address this new challenge, PixPirate introduced a new technique to hide its icon that we have never seen\r\nfinancial malware use before. Thanks to this new technique, during PixPirate reconnaissance and attack phases,\r\nthe victim remains oblivious to the malicious operations that this malware performs in the background.\r\nPixPirate abuses the accessibility service to gain RAT capabilities, monitor the victim’s activities and steal the\r\nvictim’s online banking credentials, credit card details and login information of all targeted accounts. If two-factor\r\nauthentication (2FA) is needed to complete the fraudulent transaction, the malware can also access, edit and delete\r\nthe victim’s SMS messages, including any messages the bank sends.\r\nPixPirate uses modern capabilities and poses a serious threat to its victims. Here is a short list of PixPirate’s main\r\nmalicious capabilities:\r\nManipulating and controlling other applications\r\nKeylogging\r\nCollecting a list of apps installed on the device\r\nInstalling and removing apps from the infected device\r\nLocking and unlocking device screen\r\nAccessing registered phone accounts\r\nAccessing contact list and ongoing calls\r\nhttps://securityintelligence.com/posts/pixpirate-brazilian-financial-malware/\r\nPage 1 of 11\n\nPinpointing device location\r\nAnti-virtual machine (VM) and anti-debug capabilities\r\nPersistence after reboot\r\nSpreading through WhatsApp\r\nReading, editing and deleting SMS messages\r\nAnti-removal and disabling Google Play Protect\r\nThanks to its RAT capabilities, PixPirate can perform on-device fraud (ODF) and execute the fraud from the\r\nvictim’s device to avoid detection by the bank’s security and fraud detection systems.\r\nThe latest tech news, backed by expert insights\r\nStay up to date on the most important—and intriguing—industry trends on AI, automation, data and beyond with\r\nthe Think Newsletter, delivered twice weekly. See the IBM Privacy Statement.\r\nPixPirate infection flow\r\nMost financial malware comprises one main Android Package (APK) file. This is not the case for PixPirate, which\r\nis built of two components: a downloader APK and the droppee APK. The use of a downloader app as part of a\r\nfinancial attack is not new; however, unlike most financial malware today that uses a downloader as a service,\r\nboth the droppee and the downloader for PixPirate were created by the same actor.\r\nIn addition, the PixPirate downloader role in the infection flow of the malware is different from other financial\r\nmalware. Usually, the downloader is used to download and install the dropped, and from this point on, the droppee\r\nis the main actor conducting all fraudulent operations and the downloader is irrelevant. In the case of PixPirate,\r\nthe downloader is responsible not only for downloading and installing the droppee but also for running and\r\nexecuting it. The downloader plays an active part in the malicious activities of the droppee as they communicate\r\nwith each other and send commands to execute.\r\nUsually, victims get infected with PixPirate by downloading the PixPirate downloader from a malicious link sent\r\nto them through WhatsApp or an SMS phishing (smishing) message. This message convinces the victim to\r\ndownload the downloader, which impersonates a legitimate authentication app associated with the bank. Once the\r\nvictim launches the downloader, it asks the victim to install an updated version of itself, which is, in fact, the\r\nactual PixPirate malware (the droppee). After the victim approves this update, the downloader either installs the\r\ndroppee embedded in its APK or downloads it directly from the PixPirate command and control (C2) server. If the\r\ndroppee is embedded in the downloader’s APK file, it is encrypted and encoded in the downloader “/assets/”\r\nfolder, masquerading as a jpeg file to lower suspicion.\r\nNext, the downloader sends a command to the PixPirate droppee to activate and execute it. On the first run, the\r\ndroppee prompts the victim to allow its accessibility service to run. In the next stage, PixPirate abuses the\r\naccessibility service to grant itself all the necessary permissions it needs to run and successfully perform financial\r\nfraud.\r\nAfter the malware gets all the necessary permissions it needs to run, it collects some information and data\r\nregarding the infected device to decide if this is a legitimate device and a good candidate for fraud (anti-VM/anti-https://securityintelligence.com/posts/pixpirate-brazilian-financial-malware/\r\nPage 2 of 11\n\nemulator, which bank apps are installed on the device and so on) and then sends all this data to the PixPirate C2.\r\nNew hiding technique in the wild\r\nMalware has always tried to hide and conceal itself from its intended victim. The most obvious and effective way\r\nis to hide the launcher icon of the malicious APK because most users do not look at the app settings screen to\r\ncheck which apps are installed, so they won’t notice the malicious app and will not try to remove it.\r\nTraditionally, financial malware hides the launcher icon using the “SetComponentEnabledSetting” API. This\r\ntechnique does not require any permission to be granted by the victim. However, from Android 10, this technique\r\nbecame ineffective for malware and could not be used anymore. We will explain how the technique works using\r\nthe FakeChat malware that also uses this technique.\r\nThe malware declares in the manifest the MainActivity that will be executed once the victim launches it by\r\npressing its icon on the home screen of the mobile device.\r\nIn the following image, we can see in the FakeChat manifest the malware’s app tag and the path of the app icon in\r\nthe icon value. Also, the manifest contains the MainActivity with the name\r\n“com.eg.android.AlipayGphone.MainActivity” with the action “android.intent.action.Main” and the category\r\n“android.intent.category.LANUCHER.” This activity will be run and executed once the user presses the app’s icon\r\nand launches the app.\r\nhttps://securityintelligence.com/posts/pixpirate-brazilian-financial-malware/\r\nPage 3 of 11\n\nIn the first run of the malware, it makes the launcher icon disappear by calling the Android API\r\n“SetComponentEnabledSetting” with the following parameters:\r\nComponentName: the component that represents the MainActivity related to the icon for launching the\r\napp.\r\nNewState: the new state of the component. In this case, the malware specifies the state\r\n“COMPONENT_ENABLED_STATE_DISABLED” to disable and hide the APK icon.\r\nFlags (optional): Value is either 0 or a combination of DONT_KILL_APP and SYNCHRONOUS.\r\nIn the following image, we can see how it is done programmatically:\r\nhttps://securityintelligence.com/posts/pixpirate-brazilian-financial-malware/\r\nPage 4 of 11\n\nFrom Android 10, all app icons are visible in the launcher unless it is a system app or it does not ask for any\r\npermission at all (look at the documentation and the guide). Those limitations made this technique irrelevant for\r\nmalware from Android 10 and later. Therefore, malware could no longer hide its launcher icon and its existence.\r\nPixPirate’s new innovative hiding technique\r\nWhen examining PixPirate, IBM Trusteer detected a new technique to achieve the same goal that works in all\r\nAndroid versions to date. To accomplish the goal of hiding malware from the victim, the PixPirate droppee does\r\nnot have a main activity; that is, it does not have an activity with the action “android.intent.action.MAIN” and\r\ncategory “android.intent.category.LANUCHER.” This change in behavior means that the app’s icon does not exist\r\non the home screen of the victim’s device at all. However, this also presents a new problem. If the droppee’s icon\r\ndoes not exist on the victim’s home screen, how will the victim launch the app in the first place?\r\nThe new technique requires the malware to have two applications: in this case, the downloader and the droppee\r\nthat operate together. The downloader is the app that runs. The downloader then runs the droppee, which would\r\nnot be executed otherwise since its icon does not exist.\r\nHow the droppee runs\r\nSo, how does the droppee run? PixPirate built a mechanism that triggers the droppee to run when different events\r\noccur on the device.\r\nIn the following image, we can see the service used to launch the droppee replacing the activity (“MainActivity”)\r\nused in other apps and APKs. The service is exported and can be run by other processes running on the device.\r\nThis service has a custom-made action triggered by binding to this specific service. The downloader uses this to\r\ncreate and bind to this service and run the droppee every time it is required.\r\nhttps://securityintelligence.com/posts/pixpirate-brazilian-financial-malware/\r\nPage 5 of 11\n\nThe method works as follows:\r\nThe droppee has a service called “com.companian.date.sepherd” exported and holds an intent-filter with\r\nthe custom action “com.ticket.stage.Service.”\r\nWhen the downloader wants to run the droppee, it creates and binds to this droppee service using the API\r\n“BindService” with the flag “BIND_AUTO_CREATE” that creates and runs the droppee service.\r\nAfter the creation and binding of the droppee service, the droppee APK is launched and starts to operate.\r\nThe BindService API has the following parameters:\r\nThe service intent “com.ticket.stage.Service”\r\nThe flag “BIND_AUTO_CREATE” (0x01) that creates and binds to the service (if the service does not\r\nexist)\r\nhttps://securityintelligence.com/posts/pixpirate-brazilian-financial-malware/\r\nPage 6 of 11\n\nServiceConnection object that connects to the droppee service and consists of an interface to monitor the\r\nstate of the application service\r\nIn this way, the downloader succeeds in triggering the droppee to run. The ServiceConnection object is used as an\r\ninterface to maintain communications between the downloader and the droppee and allows them to send messages\r\nbetween themselves and communicate through this interface.\r\nIn the following image, we see the code from the downloader APK that creates and binds to the exported service\r\nof the droppee APK, which we saw in the previous image, to trigger the droppee to run and send it commands to\r\nexecute.\r\nThis code must run at the first running and execution of the droppee, just after the downloader installs the\r\ndroppee. Later, to maintain persistence, the droppee is also triggered to run by the different receivers that it\r\nhttps://securityintelligence.com/posts/pixpirate-brazilian-financial-malware/\r\nPage 7 of 11\n\nregistered. The receivers are set to be activated based on different events that occur in the system and not\r\nnecessarily by the downloader that initially triggered the droppee to run.\r\nThis technique allows the PixPirate droppee to run and hide its existence even if the victim removes the PixPirate\r\ndownloader from their device. PixPirate malware is the first financial malware observed by IBM Trusteer\r\nresearchers that uses this technique to hide itself and its launcher icon so that victims won’t notice that malware is\r\ninstalled and running on the device.\r\nFraud modus operandi\r\nPixPirate campaigns mostly target customers of banks in Brazil. It mainly attacks the Brazilian payment service\r\ncalled Pix, the standard instant payment platform in Brazil. Most of the banks in Brazil implement the Pix API to\r\nsupport Pix transactions from within the banking app itself.\r\nWhen the malware decides to carry out the fraud, it pops up a new screen on top of the current screen of the\r\ndevice that hides the malware’s malicious activities from the victim. The malware launches the bank app (if it’s\r\nnot running yet) and goes to the Pix page by pressing the app buttons programmatically. Once on the Pix\r\ntransfer/payment page, the malware executes the Pix money transfer.\r\nIn the following image, we can see the different functions the malware calls to enter the relevant details and\r\nexecute the money transfer (Pix details, amount, password and so on).\r\nWhat is Pix?\r\nPix is an instant payment platform that enables the quick execution of payments and transfers between bank\r\naccounts. Customers receive a Pix string or QR code that contains the amount to pay for services or goods to\r\ncomplete a transaction. Then, customers pay the Pix payment using their bank apps or through internet banking.\r\nThey can pay or transfer money using Pix through their banking app.\r\nThe Pix payment service launched in November 2020 was heavily adopted by users and businesses in Brazil and\r\nbroke records in the number of users, financial transactions, and volumes. In the following graph, we can see the\r\nnumber of Pix transactions (in thousands). In March 2023, it reached 3 billion transactions in a single month.\r\nhttps://securityintelligence.com/posts/pixpirate-brazilian-financial-malware/\r\nPage 8 of 11\n\nFinancial transaction volume reached 1,250,000,000,000 Brazilian reals in March 2023, which is about $250\r\nbillion. By May 2023, the number of Pix users reached 140 million.\r\nPix fraud MO\r\nPixPirate Pix fraud occurs by initiating a new Pix transaction from the victim to the fraudster’s Pix account or by\r\nchanging the Pix details of the receiver of a legitimate Pix transaction initiated by the victim to the fraudster’s Pix\r\ndetails.\r\nTechnically, Pix fraud is performed thanks to PixPirate RAT capabilities gained by abusing the Android\r\naccessibility service. The malware monitors the victim’s activities on the device and waits for the user to launch a\r\ntargeted banking application. On each accessibility event, it checks the type of event that occurred. If the event\r\nhttps://securityintelligence.com/posts/pixpirate-brazilian-financial-malware/\r\nPage 9 of 11\n\ntype is “TYPE_WINDOW_STATE_CHANGED,” it retrieves the name of the package of the app from the\r\nwindow. If the app is in the target list, the malware can start its malicious activities.\r\nWhen the victim launches their bank app, the malware grabs and collects the user credentials and account info\r\nwhile the user enters their credentials to log in. The malware sends the stolen info and credentials to the attacker’s\r\nC2 server. The victim is not aware that the malware is stealing credentials as everything seems legitimate, as the\r\nmalware hides itself and operates in the background.\r\nWhen the malware decides to carry out the fraud, it pops up a new screen on top of the current screen of the\r\ndevice that hides the malware’s malicious activities from the victim. The malware launches the bank app (if it’s\r\nnot running yet) and goes to the Pix page by pressing the app buttons programmatically. Once on the Pix\r\ntransfer/payment page, the malware executes the Pix money transfer.\r\nIn the following image, we can see the different functions the malware calls to enter the relevant details and\r\nexecute the money transfer (Pix details, amount, password and so on).\r\nThe main function responsible for the fraud is “strictPay_js.action.transfer,” which automatically executes the\r\nfraud. First, it calls SendPageNode(1) with the argument “1”. This function navigates to the Pix page in the\r\nbanking application. The next function is sendBalance(), which consists of three subfunctions:\r\ninputPix(): Enters the Pix details for executing the Pix money transfer\r\ncontinue2Password(): The malware enters the stolen victim’s credentials\r\nwaitUntilPassword(): Waits until the Pix money transfer is completed and validates that it was\r\nsuccessfully executed\r\nhttps://securityintelligence.com/posts/pixpirate-brazilian-financial-malware/\r\nPage 10 of 11\n\nThe same technique is used by PixPirate for the second Pix attack MO of intercepting the victim operations and\r\nchanging the Pix details while the victim transfers the money without the victim knowing. PixPirate can\r\nmanipulate both the target account and the Pix transaction amount.\r\nIf 2FA is needed as part of the banking flow, the malware can also intercept SMS messages that the user receives\r\nfrom the bank.\r\nAutomatic fraud capabilities\r\nPixPirate fraud occurs automatically, as this malware contains code for all the different activities that are required\r\nto complete Pix fraud — log in, enter Pix details, enter credentials, confirm and more. PixPirate is not only an\r\nautomated attack tool, but it also has the capability of becoming a manually operated remote control attack tool.\r\nThis capability is probably implemented to manually execute fraud if the automatic fraud execution flows fail\r\nbecause the user interface of the banking app changes or if a new lucrative target presents itself.\r\nThe manual fraud is initiated by popping up an overlay screen on the victim’s device and disabling the user\r\ncontrol on the infected device to hide the fraudster’s activities in the background. Next, the malware connects to\r\nthe C2 and receives commands from the fraudster to be executed. This remote-control capability gives the\r\nfraudster control of the victim’s device, including accessing private information and manipulating applications on\r\nthe victim’s device.\r\nStay up to date on PixPirate’s capabilities\r\nWith nuanced methods of staying hidden and the capacity for serious harm, PixPirate presents a troubling new\r\nthreat on the malware playing field. We will discuss more on PixPirate’s functionality, capabilities and commands\r\nit can receive from the C2 server in part two of our PixPirate blog.\r\nPixPirate IOCs:\r\nDownloader: 019a5c8c724e490df29020c1854c5b015413c9f39af640f7b34190fd4c989e81\r\nDroppee: 9360f2ee1db89f9bac13f8de427a7b89c24919361dcd004c40c95859c8ce6a79\r\nSource: https://securityintelligence.com/posts/pixpirate-brazilian-financial-malware/\r\nhttps://securityintelligence.com/posts/pixpirate-brazilian-financial-malware/\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://securityintelligence.com/posts/pixpirate-brazilian-financial-malware/"
	],
	"report_names": [
		"pixpirate-brazilian-financial-malware"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775433973,
	"ts_updated_at": 1775791833,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e9ef2e292bf26a3d62883215de51cd908c29c2f6.pdf",
		"text": "https://archive.orkl.eu/e9ef2e292bf26a3d62883215de51cd908c29c2f6.txt",
		"img": "https://archive.orkl.eu/e9ef2e292bf26a3d62883215de51cd908c29c2f6.jpg"
	}
}