{
	"id": "8d42d741-d9d1-46f3-a8b3-b751e7fa2c55",
	"created_at": "2026-04-06T00:10:16.163208Z",
	"updated_at": "2026-04-10T03:30:33.051966Z",
	"deleted_at": null,
	"sha1_hash": "f45ecbd2db65dc8b097c9b00d18cf44bff192925",
	"title": "PixStealer: a new wave of Android banking Trojans abusing Accessibility Services - Check Point Research",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 84587,
	"plain_text": "PixStealer: a new wave of Android banking Trojans abusing\r\nAccessibility Services - Check Point Research\r\nBy etal\r\nPublished: 2021-09-29 · Archived: 2026-04-05 18:58:00 UTC\r\nResearch by: Israel Wernik, Bohdan Melnykov\r\nIntroduction\r\nBy limiting physical interactions, the COVID-19 pandemic significantly accelerated the digitization of the\r\nbanking industry to fulfill customer needs.  To cope with the demand, improve access and awareness of financial\r\nservices, banks and governments are developing new infrastructure, protocols and tools. One of the most\r\nsuccessful examples of such initiatives launched during COVID is Pix, the instant payments solution created by\r\nthe Central Bank of Brazil. Released only in November 2020, Pix has already reached 40 million transactions a\r\nday, moving a total of $4.7 billion a week.\r\nOf course, with evolving technology comes evolving hackers. A significant increase in consumers’ use of mobile\r\napps and websites for their banking transactions naturally did not escape the notice of malicious actors, especially\r\nthose targeting mobile banking.\r\nCheck Point Research recently discovered a new wave of malicious Android applications targeting the Pix\r\npayment system and Brazilian bank applications. These malicious apps, once distributed on Google Store, seem to\r\nbe an evolution of an unclassified family of Brazilian bankers analyzed by security researchers back in April, and\r\nwere discovered to have been updated with new techniques and capabilities. One of the versions we found\r\ncontains never-before-seen functionality to steal victims’ money using Pix transactions. Due to its unique\r\nfunctionality and implementation, we named this version PixStealer.\r\nPixStealer is a very minimalistic malware that doesn’t perform any “classic” banker actions like stealing\r\ncredentials from targeted bank applications and communicating with a C\u0026C. Its “big brother” MalRhino, by\r\ncontrast, contains a variety of advanced features and introduces the use of open-source Rhino JavaScript Engine to\r\nprocess Accessibility events.\r\nIn this article, we provide the technical analysis of these malware variants and discuss the innovative techniques\r\nthey use to avoid detection, maximize the threat actor’s gain, and abuse very specific digital banking features such\r\nas the Pix system.\r\nPixStealer: a technical analysis\r\nThe PixStealer malware’s internal name is “Pag Cashback 1.4″. It was distributed on Google Play as a fake\r\nPagBank Cashback service and targeted only the Brazilian PagBank.\r\nhttps://research.checkpoint.com/2021/pixstealer-a-new-wave-of-android-banking-trojans-abusing-accessibility-services/\r\nPage 1 of 13\n\nThe package name com.pagcashback.beta indicates the application might be in the beta stage.\r\nPixStealer uses a “less is more” technique: as a very small app with minimum permissions and no connection to a\r\nC\u0026C, it has only one function: transfer all of the victim’s funds to an actor-controlled account.\r\nWith this approach, the malware cannot update itself by communicating with a C\u0026C, or steal and upload any\r\ninformation about the victims, but achieves the very important goal: to stay undetectable.\r\nFigure 1: Virus Total detections of the PixStealer sample.\r\nLike many of the banking Trojans that appeared in the last few years (Evenbot, Gustaff, Medusa, and others),\r\nPixStealer abuses Android’s Accessibility Service. AAS’s main purpose is to assist users with disabilities to use\r\nAndroid devices and apps. However, when a victim is lured by banking malware into enabling this service, the\r\nAccessibility Service turns into a weapon, granting the application ability to read anything a regular user can\r\naccess and perform any action a user can do on an Android device.\r\nWhen the application starts, the malware shows the victim a message box asking to activate the Accessibility\r\nService to get the alleged “cashback” functionality:\r\nhttps://research.checkpoint.com/2021/pixstealer-a-new-wave-of-android-banking-trojans-abusing-accessibility-services/\r\nPage 2 of 13\n\nFigure 2: The PixStealer malware asking for access to the Android Accessibility Service.\r\nSimilar to the previous versions of the malware, the service is named com.gservice.autobot.Acessibilidade.\r\nAfter receiving the Accessibility Service permission, the malware shows a text message with a call to open the\r\nPagBank application for synchronization. We should mention that once it has the Accessibility Service access, the\r\nmalware can open the app by itself. Most likely, it waits for the user to open the app to avoid displaying typical\r\n“malware behavior”, which helps it remain undetected.\r\nAfter the victim opens the bank account and enters credentials, the malware uses the Accessibility to click the\r\n“show” button to retrieve the victim’s current balance.\r\nhttps://research.checkpoint.com/2021/pixstealer-a-new-wave-of-android-banking-trojans-abusing-accessibility-services/\r\nPage 3 of 13\n\nFigure 3: The malware will click on the “eye” icon to retrieve the account balance.\r\nThis number is saved to SharedPrefences under the key “valor” (“value” in Portuguese):\r\nhttps://research.checkpoint.com/2021/pixstealer-a-new-wave-of-android-banking-trojans-abusing-accessibility-services/\r\nPage 4 of 13\n\nFigure 4: The malware saving the account balance to SharedPreferences under key “valor”\r\nNext, the malware shows a fake overlay view asking the user to wait for the synchronization to finish:\r\nFigure 5: “Synchronizing your access… Do not turn off your mobile screen” overlay screen.\r\nThis overlay screen plays a very important role: it hides the fact that in the background the malware is transferring\r\nall the funds to the actor-controlled account.\r\nTo perform the transfer, the malware first searches for the Transfer button:\r\nhttps://research.checkpoint.com/2021/pixstealer-a-new-wave-of-android-banking-trojans-abusing-accessibility-services/\r\nPage 5 of 13\n\nFigure 6 : The malware searches for the Transfer button.\r\nThe malware clicks on it by using the following Accessibility actions:\r\nhttps://research.checkpoint.com/2021/pixstealer-a-new-wave-of-android-banking-trojans-abusing-accessibility-services/\r\nPage 6 of 13\n\nFigure 7: The malware “click on button” function.\r\nThe transfer amount is the value that was retrieved at the start of the app – the entire balance stored in the “valor”\r\nkey in SharedPreferences:\r\nFigure 8: The malware searches for the text with the string “Informe o valor da transf” (“provide transaction\r\nvalue”) and enters the entire balance value to the transfer amount field.\r\nThe last action left is to enter the payment beneficiary. The malware searches for the CPF/CNPJ (Brazilian\r\ntaxpayer identification number) field:\r\nhttps://research.checkpoint.com/2021/pixstealer-a-new-wave-of-android-banking-trojans-abusing-accessibility-services/\r\nPage 7 of 13\n\nFigure 9: The malware searches for the Brazilian ID field\r\nand then enters the threat actor’s “CPF” (Brazilian ID number) via accessibility functionality.\r\nFigure 10: The malware enters the actor-controlled ID for transfer using Pix.\r\nThis short video demonstrates the full malicious flow:\r\nPagBank application, targeted by PixStealer, implements an identity verification process before allowing the\r\nuser to perform a Pix transaction. The process makes sure the device belongs to the owner of the bank account and\r\nrequires the user to pass the following steps for each mobile device:\r\ntwo-factor authentication (credentials and SMS)\r\nupload documents that confirm the ownership of the account\r\ncapture a selfie with the device’s camera.\r\nOnly when the documents and the selfie pass manual check on the bank’s side, Pix transfer is enabled on the\r\ndevice. These measures guarantee that stolen credentials and even SIM swapping is not enough to be able to\r\nperform Pix transactions. The danger of malware like PixStealer is that it actually bypasses all these checks as it’s\r\nrunning on the victim’s device that already passed the identification stage.\r\nMalRhino – PixStealer’s “big brother”\r\nA standalone banker stealer that does not require a C\u0026C connection is lightweight and almost undetectable, but\r\nlacks the ability to dynamically make adjustments. By looking for similar applications, we found another version\r\nof the same family which has multiple code similarities with PixStealer: manifest, logs messages, service and\r\nmethod names.\r\nhttps://research.checkpoint.com/2021/pixstealer-a-new-wave-of-android-banking-trojans-abusing-accessibility-services/\r\nPage 8 of 13\n\nFigure 11: Example of similar logging functions in MalRhino (on the top) and PixStealer samples.\r\nThe malicious application is a fake iToken app for Brazilian Inter Bank, with the package name\r\ncom.gnservice.beta, and it was also distributed via Google Play Store.\r\nThe MalRhino variant uses JavaScript via Mozilla’s Rhino framework to process Accessibility Events\r\ndynamically, depending on the top running app to provide the actor remote with code execution access. This\r\ntechnique is not commonly used on mobile malware and shows how malicious actors are becoming more\r\ninnovative to avoid detection and get inside Google Play. The last time our researchers found RhinoJS used for\r\nmalicious actions was by the Xbot banker malware in 2016.\r\nJust like in the previous version, the malware shows the victim a message trying to convince them to give\r\nAccessibility permission:\r\nhttps://research.checkpoint.com/2021/pixstealer-a-new-wave-of-android-banking-trojans-abusing-accessibility-services/\r\nPage 9 of 13\n\nFigure 12: “To continue, activate accessibility service from the iToken developed by Inter Digital Development”.\r\nWhen it obtains Accessibility access, the malware performs the actions that are typical for this malware and\r\nimplements them the same way as in the previous versions:\r\nCollect the installed application and send the list to the C\u0026C server together with the victim’s device info\r\nRun banks applications\r\nRetrieve pin from the Nubank application\r\nTargeted applications\r\nTo check if the top running application in the system is a supported banking app, the malware uses a package\r\nname. To avoid detection of banking package names strings inside the app, the malware reads the package name,\r\ncalculates the MD5 checksum, and then compares it with the pre-defined list:\r\nFigure 13: The malware checks the package name using MD5 hashes\r\nhttps://research.checkpoint.com/2021/pixstealer-a-new-wave-of-android-banking-trojans-abusing-accessibility-services/\r\nPage 10 of 13\n\nName  Package Name  Md5\r\nInter bank br.com.intermidium 2ef536239b84195e099013cfda06d3dd\r\nNuBank com.nu.production 678212691ab75ea925633512d9e3b5f4\r\nNext br.com.bradesco.next d74e8b32e9d704633bd69581a15f55de\r\nSantander com.santander.app 38737771e1ddab60c062cd0be323e89b\r\nUOL PagBank br.com.uol.ps.myaccount 5b3deb74ec783b05645b3fff5d56667d\r\nBanco original br.com.original.bank 64679e8af5f494db86fb7b7312e79ba9\r\nTable 1: List of bank applications targeted by MalRhino variant.\r\nRhinoJS dynamic code execution\r\nRhino is a JavaScript engine written fully in Java and managed by the Mozilla Foundation as open-source\r\nsoftware. Malware developers used an open-source rhino-android library that allows executing JavaScript code\r\nwith the bridge to Java code.\r\nIf the running application is the one supported by the malware, it performs the request to the C\u0026C server to get\r\nJavaScript code with Rhino JS “macros”:\r\nhttps://research.checkpoint.com/2021/pixstealer-a-new-wave-of-android-banking-trojans-abusing-accessibility-services/\r\nPage 11 of 13\n\nFigure 14: The malware runs the GetMacroForPackage function (top) which requests the server for JS code\r\naccording to the top running app.\r\nThe response from the C\u0026C server contains JavaScript code to be executed by Using the Rhino engine:\r\nFigure 15: The malware executes JavaScript code inside the targeted app.\r\nUsing Rhino JS engine the malware has the ability to perform remote code execution when a needed app is\r\nlaunched. AccessibilityService code contains various utility methods that are not used from Java code and are\r\nmost likely intended to be triggered from the JavaScript code the malware gets from the C\u0026C server. These utility\r\nmethods include creating fake windows with PIN request, click on something, make gestures, input text etc.\r\nhttps://research.checkpoint.com/2021/pixstealer-a-new-wave-of-android-banking-trojans-abusing-accessibility-services/\r\nPage 12 of 13\n\nFigure 16: The utility methods performing different actions using the Accessibility Service.\r\nConclusion\r\nIn this article, we analyzed two significantly different versions of the banking malware. Both of them introduced\r\nnew innovative techniques to perform different actions on victims’ mobile bank accounts.  PixStealer version uses\r\nthe Pix instant payment system to transfer all the funds in the victim’s account to an actor-controlled one by\r\nabusing the Accessibility Service on an unsuspecting user’s phone. The MalRhino version uses a JavaScript-based\r\nframework to run commands inside banking applications. With the increasing abuse of the Accessibility Service\r\nby mobile bankers malware, users should be wary of enabling the relevant permissions even in the applications\r\ndistributed via known app stores such as Google Play.\r\nCheck Point Harmony Mobile is a Mobile Threat Defense solution that keeps corporate data safe by securing\r\nemployees’ mobile devices across all attack vectors: apps, network and OS\r\nIOCs\r\nPixStealer\r\n28e8170485bbee78e1a54aae6a955e64fe299978cbb908da60e8663c794fd195 com.pagcashback.beta\r\nc0585b792c0a9b8ef99b2b31edb28c5dac23f0c9eb47a0b800de848a9ab4b06c com.pagback.beta\r\n8b4f064895f8fac9a5f25a900ff964828e481d5df2a2c2e08e17231138e3e902 com.gnservice.beta\r\nMalRhino\r\n2990f396c120b33c492d02e771c9f1968239147acec13afc9f500acae271aa11 com.gnservice.beta\r\nSource: https://research.checkpoint.com/2021/pixstealer-a-new-wave-of-android-banking-trojans-abusing-accessibility-services/\r\nhttps://research.checkpoint.com/2021/pixstealer-a-new-wave-of-android-banking-trojans-abusing-accessibility-services/\r\nPage 13 of 13\n\n https://research.checkpoint.com/2021/pixstealer-a-new-wave-of-android-banking-trojans-abusing-accessibility-services/   \nFigure 6 : The malware searches for the Transfer button. \nThe malware clicks on it by using the following Accessibility actions:\n   Page 6 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://research.checkpoint.com/2021/pixstealer-a-new-wave-of-android-banking-trojans-abusing-accessibility-services/"
	],
	"report_names": [
		"pixstealer-a-new-wave-of-android-banking-trojans-abusing-accessibility-services"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434216,
	"ts_updated_at": 1775791833,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f45ecbd2db65dc8b097c9b00d18cf44bff192925.pdf",
		"text": "https://archive.orkl.eu/f45ecbd2db65dc8b097c9b00d18cf44bff192925.txt",
		"img": "https://archive.orkl.eu/f45ecbd2db65dc8b097c9b00d18cf44bff192925.jpg"
	}
}