PixPirate Malware Uses WhatsApp to Trick Users, Steal Financial Data

PixPirate malware, spreading via WhatsApp, targets financial apps in Brazil, India, Italy, and Mexico, stealing data and staying hidden.

A new wave of malware known as PixPirate is spreading rapidly, primarily targeting banking users in Brazil and India, with its reach extending to Italy and Mexico.

Security researchers from Trusteer Lab have identified this threat, highlighting its sophisticated techniques that trick users into downloading malicious apps disguised as legitimate financial tools, as reported by Security Intelligence.

PixPirate consists of two main components: a downloader and a dropper (called the droppee). The downloader pretends to be an authentication app designed to protect banking accounts. Once installed, it not only runs the malicious dropper but also actively manages its operations, enabling financial fraud.

This app is not available on official platforms like the Google Play Store. Instead, it spreads through phishing messages sent via SMS (known as smishing) or WhatsApp spam from infected users.

Once the downloader is installed, it tricks users into granting permissions by claiming an “update” is required. In reality, this process installs the dropper malware on the victim’s device. The dropper stays hidden, with no icon displayed on the home screen, making detection difficult for users.

Initially identified in Brazil, PixPirate primarily targets the country’s Pix payment system, widely used in Brazilian banking apps. Trusteer Lab reports that around 70% of infections are in Brazil.

However, 20% of cases have been identified in India, where the malware seems to be preparing to target the country’s United Payments Interface (UPI) platform, which facilitates instant payments for millions of users.

Infections have also begun to surface in Italy and Mexico, suggesting the attackers aim to expand their operations globally. The malware’s developers use tools like instructional YouTube videos to guide victims on granting permissions, further aiding its spread.

A unique feature of PixPirate is its integration with WhatsApp to send phishing messages from infected devices. By accessing victims’ contact lists, it spreads itself by sending messages that appear to come from trusted sources, exploiting the recipient’s sense of security.

During this activity, PixPirate uses an overlay to hide its operations from the user, ensuring the victim remains unaware. Security Intelligence notes that PixPirate employs sophisticated methods, including remote access, SMS interception, and anti-removal capabilities.

It even uses Android’s accessibility services to mimic human interaction, such as clicking buttons to send WhatsApp messages. These features enable the malware to perform fraud automatically and stealthily.

PixPirate’s resurgence highlights the growing sophistication of cybercriminal operations targeting mobile banking platforms worldwide. Users are advised to avoid downloading apps from unknown sources, scrutinize unexpected messages, and use strong cybersecurity measures to protect their devices.