PixPirate: The Brazilian financial malware you can't see, part one

<!doctype html> <html lang="en-US"> <head> <meta charset="UTF-8"> <link rel="shortcut icon" type="image/x-icon" href="https://securityintelligence.com/wp-content/themes/sapphire/images/favicon.ico" sizes="32x32" /> <meta name="viewport" content="width=device-width,minimum-scale=1,initial-scale=1,maximum-scale=1">  <title>PixPirate: The Brazilian financial malware you can't see, part one</title>   <meta name="theme-color" content="#000000">  <meta name="referrer" content="no-referrer-when-downgrade">   <script async src="https://cdn.ampproject.org/v0.js"></script> <script async custom-element="amp-list" src="https://cdn.ampproject.org/v0/amp-list-0.1.js"></script> <script async custom-template="amp-mustache" src="https://cdn.ampproject.org/v0/amp-mustache-0.2.js"></script> <script async custom-element="amp-accordion" src="https://cdn.ampproject.org/v0/amp-accordion-0.1.js"></script> <script custom-element="amp-animation" src="https://cdn.ampproject.org/v0/amp-animation-0.1.js" async></script> <script custom-element="amp-position-observer" src="https://cdn.ampproject.org/v0/amp-position-observer-0.1.js" async></script> <script async custom-element="amp-bind" src="https://cdn.ampproject.org/v0/amp-bind-0.1.js"></script> <script async custom-element="amp-autocomplete" src="https://cdn.ampproject.org/v0/amp-autocomplete-0.1.js"></script> <script async custom-element="amp-social-share" src="https://cdn.ampproject.org/v0/amp-social-share-0.1.js"></script> <script type="module" src="https://1.www.s81c.com/common/carbon-for-ibm-dotcom/version/v1.35.0/card-section-simple.min.js"></script> <script type="module" src="https://1.www.s81c.com/common/carbon-for-ibm-dotcom/tag/v1/latest/card-section-simple.min.js"></script> <script type="module" src="https://1.www.s81c.com/common/carbon-for-ibm-dotcom/tag/v1/next/card-section-simple.min.js"></script> <script type="module" src="https://1.www.s81c.com/common/carbon-for-ibm-dotcom/version/v2.11.0/card.min.js"></script> <script type="module" src="https://1.www.s81c.com/common/carbon-for-ibm-dotcom/version/v2.11.0/image.min.js"></script> <script async custom-element="amp-lightbox-gallery" src="https://cdn.ampproject.org/v0/amp-lightbox-gallery-0.1.js"></script> <script src="https://unpkg.com/swiper/swiper-bundle.min.js"></script> <script async custom-element="amp-video" src="https://cdn.ampproject.org/v0/amp-video-0.1.js"></script> <script async custom-element="amp-youtube" src="https://cdn.ampproject.org/v0/amp-youtube-0.1.js"></script> <link rel="preload" as="image" href="/wp-content/webp-express/webp-images/doc-root/wp-content/uploads/2025/02/Office-Manager-Assisting-Employee-With-Problem-300x158.jpeg.webp" media="(max-width: 300px)"> <link rel="preload" as="image" href="/wp-content/webp-express/webp-images/doc-root/wp-content/uploads/2025/02/Office-Manager-Assisting-Employee-With-Problem-630x330.jpeg.webp" media="(max-width: 1200px) and (min-width: 301px)"> <link rel="preload" as="image" href="/wp-content/webp-express/webp-images/doc-root/wp-content/uploads/2025/02/Office-Manager-Assisting-Employee-With-Problem.jpeg.webp" media="(max-width: 2400px) and (min-width: 631px)"> <link rel="preload" as="image" href="/wp-content/webp-express/webp-images/doc-root/wp-content/uploads/2025/02/Office-Manager-Assisting-Employee-With-Problem.jpeg.webp" media="(max-width: 2400px) and (min-width: 1201px)">  <script> window._ibmAnalytics = { "settings": { "name": "SecurityIntelligence", "tealiumProfileName": "ibm-subsidiary" }, "digitalData.page.services.google.enabled": true }; window.digitalData = { "page": { "pageInfo": { "effectiveDate": "2024-03-13", "publishDate": "2024-03-13", "ibm": { "siteId": "IBM_" + _ibmAnalytics.settings.name, } }, "category": { "primaryCategory": "PC090" } } }; // Custom Click Tagging // Collect and send clicks not detectable by ida_stats.js function sendClickTag(section, feature, destination) { console.log(section + " " + feature) var config = { type: 'ELEMENT', primaryCategory: section, // e_a1 - Element Category eventName: feature, // e_a2 - Element Name targetURL: destination, // e_a7 - Element Attribute: ibmEvTarget }; ibmStats.event(config); } // Custom Click Tagging // Collect and send clicks not detectable by ida_stats.js // function sendClickConversion(feature, title) { // var config = { // type : 'pageclick', // primaryCategory : 'PAGE CLICK', // eventCategoryGroup : "TIMELINE - SECURITY INTELLIGENCE", // eventName : feature, // targetTitle : title // }; // ibmStats.event(config); // } // Custom Link Event // Add clicktag event on every link inside the element function tagAllLinks(element, section, feature) { var element = document.querySelectorAll(element); if (typeof(element) != 'undefined' && element != null) { for (var i = 0; i < element.length; i++) { var elements = element[i].querySelectorAll("a:not(.btn)"); for (var o = 0; o < elements.length; o++) { if (elements[o].getAttribute('listener') !== 'true') { var destination = elements[o].getAttribute('href'); elements[o].addEventListener('click', function() { if (this.getAttribute('listener') === 'true') { sendClickTag(section, feature, this.getAttribute('href')); this.setAttribute('listener', 'false'); } }, false); elements[o].setAttribute('listener', 'true'); } } } } } window.onload = function() { // Call to action click tag var ctaButton = document.querySelectorAll(".single__content a"); if (typeof(ctaButton) != 'undefined' && ctaButton != null && ctaButton.length !== 0) { for (var i = 0; i < ctaButton.length; i++) { ctaButton[i].addEventListener('click', function() { if (this.getAttribute('listener') === 'true') { sendClickTag("BODY", "CALL TO ACTION"); this.setAttribute('listener', 'false'); } }, false); ctaButton[i].setAttribute('listener', 'true'); } } // Read more click tag var readButton = document.querySelectorAll(".continue-reading button"); if (typeof(readButton) != 'undefined' && readButton != null && readButton.length !== 0) { for (var i = 0; i < readButton.length; i++) { readButton[i].addEventListener('click', function() { if (this.getAttribute('listener') === 'true') { sendClickTag("BODY", "READ-MORE"); this.setAttribute('listener', 'false'); } }, false); readButton[i].setAttribute('listener', 'true'); } } // LISTICLES tag - Arrows //left arrow var leftArrow = document.getElementById("prev"); if (typeof(leftArrow) != 'undefined' && leftArrow != null) { //for (var i = 0; i < leftArrow.length; i++) { leftArrow.addEventListener('click', function() { if (this.getAttribute('listener') === 'true' && leftArrow.id == "prev") { sendClickTag("BODY", "LISTICLE-LEFT-ARROW"); this.setAttribute('listener', 'false'); } }, false); leftArrow.setAttribute('listener', 'true'); //} } //right arrow var rightArrow = document.getElementById("next"); if (typeof(rightArrow) != 'undefined' && rightArrow != null) { //for (var i = 0; i < rightArrow.length; i++) { rightArrow.addEventListener('click', function() { if (this.getAttribute('listener') === 'true' && rightArrow.id == "next") { sendClickTag("BODY", "LISTICLE-RIGHT-ARROW"); this.setAttribute('listener', 'false'); } }, false); rightArrow.setAttribute('listener', 'true'); //} } // LISTICLES tag - numbers var listicleTopButton = document.querySelectorAll(".listicle__pagination__numbers"); if (typeof(listicleTopButton) != 'undefined' && listicleTopButton != null && listicleTopButton.length !== 0) { for (var i = 0; i < listicleTopButton.length; i++) { var currentSlide = 1; listicleTopButton[i].addEventListener('click', function() { if (this.getAttribute('listener') === 'true') { currentSlide++; var total = i; // var clickedSlides=currentSlide/2; // console.log(clickedSlides.toFixed()); //I'm removing 2 because 2 arrows on the listicle are unclickable, but present on the DOM // clickableArrows = i-2; // clickableArrows = i-1; // I'm deviding by 2 because on each slide we have 2 arrows, so we were actually sendind the double of tags // clickableArrows= clickableArrows/2; // console.log(i); // clickableArrows.toFixed(); if (currentSlide <= total) { sendClickTag("PAGE CLICK", "LISTICLE-NAVIGATION-SLIDE" + currentSlide); this.setAttribute('listener', 'false'); } else { sendClickTag("PAGE CLICK", "LISTICLE-NAVIGATION-END"); this.setAttribute('listener', 'false'); } } }, false); listicleTopButton[i].setAttribute('listener', 'true'); } } // // Timeline box click tag // var boxButton = document.querySelectorAll(".timeline__content .box"); // if (typeof(boxButton) != 'undefined' && boxButton != null && boxButton.length !== 0) { // for (var i = 0; i < boxButton.length; i++) { // boxButton[i].addEventListener('click', function(){ // if (this.getAttribute('listener') === 'true') { // sendClickConversion("DETAILED VIEW", this.getAttribute('data-title')); // this.setAttribute('listener', 'false'); // } // }, false); // boxButton[i].setAttribute('listener', 'true'); // } // } }; </script> <script src="https://1.www.s81c.com/common/stats/ibm-common.js" type="text/javascript" async="async"></script>  <style amp-boilerplate> body { -webkit-animation: -amp-start 8s steps(1, end) 0s 1 normal both; -moz-animation: -amp-start 8s steps(1, end) 0s 1 normal both; -ms-animation: -amp-start 8s steps(1, end) 0s 1 normal both; animation: -amp-start 8s steps(1, end) 0s 1 normal both } @-webkit-keyframes -amp-start { from { visibility: hidden } to { visibility: visible } } @-moz-keyframes -amp-start { from { visibility: hidden } to { visibility: visible } } @-ms-keyframes -amp-start { from { visibility: hidden } to { visibility: visible } } @-o-keyframes -amp-start { from { visibility: hidden } to { visibility: visible } } @keyframes -amp-start { from { visibility: hidden } to { visibility: visible } } </style><noscript> <style amp-boilerplate> body { -webkit-animation: none; -moz-animation: none; -ms-animation: none; animation: none } </style> </noscript> <link rel="stylesheet" href="https://securityintelligence.com/wp-content/themes/sapphire/minifications/modules.css?v=1715191630">  <meta name='robots' content='max-image-preview:large' /> <style>img:is([sizes="auto" i], [sizes^="auto," i]) { contain-intrinsic-size: 3000px 1500px }</style> <script type="text/javascript"> /* <![CDATA[ */ window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/svg\/","svgExt":".svg","source":{"concatemoji":"https:\/\/securityintelligence.com\/wp-includes\/js\/wp-emoji-release.min.js?ver=6.7.1"}}; /*! This file is auto-generated */ !function(i,n){var o,s,e;function c(e){try{var t={supportTests:e,timestamp:(new Date).valueOf()};sessionStorage.setItem(o,JSON.stringify(t))}catch(e){}}function p(e,t,n){e.clearRect(0,0,e.canvas.width,e.canvas.height),e.fillText(t,0,0);var t=new Uint32Array(e.getImageData(0,0,e.canvas.width,e.canvas.height).data),r=(e.clearRect(0,0,e.canvas.width,e.canvas.height),e.fillText(n,0,0),new Uint32Array(e.getImageData(0,0,e.canvas.width,e.canvas.height).data));return t.every(function(e,t){return e===r[t]})}function u(e,t,n){switch(t){case"flag":return n(e,"\ud83c\udff3\ufe0f\u200d\u26a7\ufe0f","\ud83c\udff3\ufe0f\u200b\u26a7\ufe0f")?!1:!n(e,"\ud83c\uddfa\ud83c\uddf3","\ud83c\uddfa\u200b\ud83c\uddf3")&&!n(e,"\ud83c\udff4\udb40\udc67\udb40\udc62\udb40\udc65\udb40\udc6e\udb40\udc67\udb40\udc7f","\ud83c\udff4\u200b\udb40\udc67\u200b\udb40\udc62\u200b\udb40\udc65\u200b\udb40\udc6e\u200b\udb40\udc67\u200b\udb40\udc7f");case"emoji":return!n(e,"\ud83d\udc26\u200d\u2b1b","\ud83d\udc26\u200b\u2b1b")}return!1}function f(e,t,n){var r="undefined"!=typeof WorkerGlobalScope&&self instanceof WorkerGlobalScope?new OffscreenCanvas(300,150):i.createElement("canvas"),a=r.getContext("2d",{willReadFrequently:!0}),o=(a.textBaseline="top",a.font="600 32px Arial",{});return e.forEach(function(e){o[e]=t(a,e,n)}),o}function t(e){var t=i.createElement("script");t.src=e,t.defer=!0,i.head.appendChild(t)}"undefined"!=typeof Promise&&(o="wpEmojiSettingsSupports",s=["flag","emoji"],n.supports={everything:!0,everythingExceptFlag:!0},e=new Promise(function(e){i.addEventListener("DOMContentLoaded",e,{once:!0})}),new Promise(function(t){var n=function(){try{var e=JSON.parse(sessionStorage.getItem(o));if("object"==typeof e&&"number"==typeof e.timestamp&&(new Date).valueOf()<e.timestamp+604800&&"object"==typeof e.supportTests)return e.supportTests}catch(e){}return null}();if(!n){if("undefined"!=typeof Worker&&"undefined"!=typeof OffscreenCanvas&&"undefined"!=typeof URL&&URL.createObjectURL&&"undefined"!=typeof Blob)try{var e="postMessage("+f.toString()+"("+[JSON.stringify(s),u.toString(),p.toString()].join(",")+"));",r=new Blob([e],{type:"text/javascript"}),a=new Worker(URL.createObjectURL(r),{name:"wpTestEmojiSupports"});return void(a.onmessage=function(e){c(n=e.data),a.terminate(),t(n)})}catch(e){}c(n=f(s,u,p))}t(n)}).then(function(e){for(var t in e)n.supports[t]=e[t],n.supports.everything=n.supports.everything&&n.supports[t],"flag"!==t&&(n.supports.everythingExceptFlag=n.supports.everythingExceptFlag&&n.supports[t]);n.supports.everythingExceptFlag=n.supports.everythingExceptFlag&&!n.supports.flag,n.DOMReady=!1,n.readyCallback=function(){n.DOMReady=!0}}).then(function(){return e}).then(function(){var e;n.supports.everything||(n.readyCallback(),(e=n.source||{}).concatemoji?t(e.concatemoji):e.wpemoji&&e.twemoji&&(t(e.twemoji),t(e.wpemoji)))}))}((window,document),window._wpemojiSettings); /* ]]> */ </script> <style id='wp-emoji-styles-inline-css' type='text/css'> img.wp-smiley, img.emoji { display: inline !important; border: none !important; box-shadow: none !important; height: 1em !important; width: 1em !important; margin: 0 0.07em !important; vertical-align: -0.1em !important; background: none !important; padding: 0 !important; } </style> <link rel='stylesheet' id='wp-block-library-css' href='https://securityintelligence.com/wp-includes/css/dist/block-library/style.min.css?ver=6.7.1' type='text/css' media='all' /> <style id='classic-theme-styles-inline-css' type='text/css'> /*! This file is auto-generated */ .wp-block-button__link{color:#fff;background-color:#32373c;border-radius:9999px;box-shadow:none;text-decoration:none;padding:calc(.667em + 2px) calc(1.333em + 2px);font-size:1.125em}.wp-block-file__button{background:#32373c;color:#fff;text-decoration:none} </style> <style id='global-styles-inline-css' type='text/css'> :root{--wp--preset--aspect-ratio--square: 1;--wp--preset--aspect-ratio--4-3: 4/3;--wp--preset--aspect-ratio--3-4: 3/4;--wp--preset--aspect-ratio--3-2: 3/2;--wp--preset--aspect-ratio--2-3: 2/3;--wp--preset--aspect-ratio--16-9: 16/9;--wp--preset--aspect-ratio--9-16: 9/16;--wp--preset--color--black: #000000;--wp--preset--color--cyan-bluish-gray: #abb8c3;--wp--preset--color--white: #ffffff;--wp--preset--color--pale-pink: #f78da7;--wp--preset--color--vivid-red: #cf2e2e;--wp--preset--color--luminous-vivid-orange: #ff6900;--wp--preset--color--luminous-vivid-amber: #fcb900;--wp--preset--color--light-green-cyan: #7bdcb5;--wp--preset--color--vivid-green-cyan: #00d084;--wp--preset--color--pale-cyan-blue: #8ed1fc;--wp--preset--color--vivid-cyan-blue: #0693e3;--wp--preset--color--vivid-purple: #9b51e0;--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple: linear-gradient(135deg,rgba(6,147,227,1) 0%,rgb(155,81,224) 100%);--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan: linear-gradient(135deg,rgb(122,220,180) 0%,rgb(0,208,130) 100%);--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange: linear-gradient(135deg,rgba(252,185,0,1) 0%,rgba(255,105,0,1) 100%);--wp--preset--gradient--luminous-vivid-orange-to-vivid-red: linear-gradient(135deg,rgba(255,105,0,1) 0%,rgb(207,46,46) 100%);--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray: linear-gradient(135deg,rgb(238,238,238) 0%,rgb(169,184,195) 100%);--wp--preset--gradient--cool-to-warm-spectrum: linear-gradient(135deg,rgb(74,234,220) 0%,rgb(151,120,209) 20%,rgb(207,42,186) 40%,rgb(238,44,130) 60%,rgb(251,105,98) 80%,rgb(254,248,76) 100%);--wp--preset--gradient--blush-light-purple: linear-gradient(135deg,rgb(255,206,236) 0%,rgb(152,150,240) 100%);--wp--preset--gradient--blush-bordeaux: linear-gradient(135deg,rgb(254,205,165) 0%,rgb(254,45,45) 50%,rgb(107,0,62) 100%);--wp--preset--gradient--luminous-dusk: linear-gradient(135deg,rgb(255,203,112) 0%,rgb(199,81,192) 50%,rgb(65,88,208) 100%);--wp--preset--gradient--pale-ocean: linear-gradient(135deg,rgb(255,245,203) 0%,rgb(182,227,212) 50%,rgb(51,167,181) 100%);--wp--preset--gradient--electric-grass: linear-gradient(135deg,rgb(202,248,128) 0%,rgb(113,206,126) 100%);--wp--preset--gradient--midnight: linear-gradient(135deg,rgb(2,3,129) 0%,rgb(40,116,252) 100%);--wp--preset--font-size--small: 13px;--wp--preset--font-size--medium: 20px;--wp--preset--font-size--large: 36px;--wp--preset--font-size--x-large: 42px;--wp--preset--spacing--20: 0.44rem;--wp--preset--spacing--30: 0.67rem;--wp--preset--spacing--40: 1rem;--wp--preset--spacing--50: 1.5rem;--wp--preset--spacing--60: 2.25rem;--wp--preset--spacing--70: 3.38rem;--wp--preset--spacing--80: 5.06rem;--wp--preset--shadow--natural: 6px 6px 9px rgba(0, 0, 0, 0.2);--wp--preset--shadow--deep: 12px 12px 50px rgba(0, 0, 0, 0.4);--wp--preset--shadow--sharp: 6px 6px 0px rgba(0, 0, 0, 0.2);--wp--preset--shadow--outlined: 6px 6px 0px -3px rgba(255, 255, 255, 1), 6px 6px rgba(0, 0, 0, 1);--wp--preset--shadow--crisp: 6px 6px 0px rgba(0, 0, 0, 1);}:where(.is-layout-flex){gap: 0.5em;}:where(.is-layout-grid){gap: 0.5em;}body .is-layout-flex{display: flex;}.is-layout-flex{flex-wrap: wrap;align-items: center;}.is-layout-flex > :is(*, div){margin: 0;}body .is-layout-grid{display: grid;}.is-layout-grid > :is(*, div){margin: 0;}:where(.wp-block-columns.is-layout-flex){gap: 2em;}:where(.wp-block-columns.is-layout-grid){gap: 2em;}:where(.wp-block-post-template.is-layout-flex){gap: 1.25em;}:where(.wp-block-post-template.is-layout-grid){gap: 1.25em;}.has-black-color{color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-color{color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-color{color: var(--wp--preset--color--white) !important;}.has-pale-pink-color{color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-color{color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-color{color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-color{color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-color{color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-color{color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-color{color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-color{color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-color{color: var(--wp--preset--color--vivid-purple) !important;}.has-black-background-color{background-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-background-color{background-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-background-color{background-color: var(--wp--preset--color--white) !important;}.has-pale-pink-background-color{background-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-background-color{background-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-background-color{background-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-background-color{background-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-background-color{background-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-background-color{background-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-background-color{background-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-background-color{background-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-background-color{background-color: var(--wp--preset--color--vivid-purple) !important;}.has-black-border-color{border-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-border-color{border-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-border-color{border-color: var(--wp--preset--color--white) !important;}.has-pale-pink-border-color{border-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-border-color{border-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-border-color{border-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-border-color{border-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-border-color{border-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-border-color{border-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-border-color{border-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-border-color{border-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-border-color{border-color: var(--wp--preset--color--vivid-purple) !important;}.has-vivid-cyan-blue-to-vivid-purple-gradient-background{background: var(--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple) !important;}.has-light-green-cyan-to-vivid-green-cyan-gradient-background{background: var(--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan) !important;}.has-luminous-vivid-amber-to-luminous-vivid-orange-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange) !important;}.has-luminous-vivid-orange-to-vivid-red-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-orange-to-vivid-red) !important;}.has-very-light-gray-to-cyan-bluish-gray-gradient-background{background: var(--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray) !important;}.has-cool-to-warm-spectrum-gradient-background{background: var(--wp--preset--gradient--cool-to-warm-spectrum) !important;}.has-blush-light-purple-gradient-background{background: var(--wp--preset--gradient--blush-light-purple) !important;}.has-blush-bordeaux-gradient-background{background: var(--wp--preset--gradient--blush-bordeaux) !important;}.has-luminous-dusk-gradient-background{background: var(--wp--preset--gradient--luminous-dusk) !important;}.has-pale-ocean-gradient-background{background: var(--wp--preset--gradient--pale-ocean) !important;}.has-electric-grass-gradient-background{background: var(--wp--preset--gradient--electric-grass) !important;}.has-midnight-gradient-background{background: var(--wp--preset--gradient--midnight) !important;}.has-small-font-size{font-size: var(--wp--preset--font-size--small) !important;}.has-medium-font-size{font-size: var(--wp--preset--font-size--medium) !important;}.has-large-font-size{font-size: var(--wp--preset--font-size--large) !important;}.has-x-large-font-size{font-size: var(--wp--preset--font-size--x-large) !important;} :where(.wp-block-post-template.is-layout-flex){gap: 1.25em;}:where(.wp-block-post-template.is-layout-grid){gap: 1.25em;} :where(.wp-block-columns.is-layout-flex){gap: 2em;}:where(.wp-block-columns.is-layout-grid){gap: 2em;} :root :where(.wp-block-pullquote){font-size: 1.5em;line-height: 1.6;} </style> <link rel='stylesheet' id='taxonomy-image-plugin-public-css' href='https://securityintelligence.com/wp-content/plugins/taxonomy-images/css/style.css?ver=0.9.6' type='text/css' media='screen' /> <script type="text/javascript" src="https://securityintelligence.com/wp-includes/js/jquery/jquery.min.js?ver=3.7.1" id="jquery-core-js"></script> <script type="text/javascript" src="https://securityintelligence.com/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.4.1" id="jquery-migrate-js"></script> <script type="text/javascript" src="https://securityintelligence.com/wp-content/themes/sapphire/app/javascript/si-theme-cookie.js?ver=6.7.1" id="si-cookie-consent-js"></script> <link rel="https://api.w.org/" href="https://securityintelligence.com/wp-json/" /><link rel="alternate" title="JSON" type="application/json" href="https://securityintelligence.com/wp-json/wp/v2/ibm_internals/446913" /><link rel="EditURI" type="application/rsd+xml" title="RSD" href="https://securityintelligence.com/xmlrpc.php?rsd" /> <meta name="generator" content="WordPress 6.7.1" /> <link rel='shortlink' href='https://securityintelligence.com/?p=446913' /> <link rel="alternate" title="oEmbed (JSON)" type="application/json+oembed" href="https://securityintelligence.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fsecurityintelligence.com%2Fposts%2Fpixpirate-brazilian-financial-malware%2F" /> <link rel="alternate" title="oEmbed (XML)" type="text/xml+oembed" href="https://securityintelligence.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fsecurityintelligence.com%2Fposts%2Fpixpirate-brazilian-financial-malware%2F&format=xml" /> <link rel="icon" href="https://securityintelligence.com/wp-content/uploads/2016/04/SI_primary_rgb-80x80.png" sizes="32x32" /> <link rel="icon" href="https://securityintelligence.com/wp-content/uploads/2016/04/SI_primary_rgb.png" sizes="192x192" /> <link rel="apple-touch-icon" href="https://securityintelligence.com/wp-content/uploads/2016/04/SI_primary_rgb.png" /> <meta name="msapplication-TileImage" content="https://securityintelligence.com/wp-content/uploads/2016/04/SI_primary_rgb.png" /> <style amp-custom>@import url('https://1.www.s81c.com/common/carbon-for-ibm-dotcom/tag/v1/latest/plex.css');</style><link rel="stylesheet" href="https://unpkg.com/swiper/swiper-bundle.min.css"><link rel="stylesheet" href="https://securityintelligence.com/wp-content/themes/sapphire/minifications/single.css?v=1734627165">   <meta name="description" content="Malicious software always aims to stay hidden so victims cannot detect it. PixPirate malware has taken that strategy to a new extreme."/> <meta name="robots" content="max-snippet:-1, max-image-preview:large, max-video-preview:-1"/> <link rel="canonical" href="https://securityintelligence.com/posts/pixpirate-brazilian-financial-malware/" /> <meta property="og:locale" content="en_US" /> <meta property="og:type" content="article" /> <meta property="og:title" content="PixPirate: The Brazilian financial malware you can't see, part one" /> <meta property="og:description" content="Malicious software always aims to stay hidden so victims cannot detect it. PixPirate malware has taken that strategy to a new extreme." /> <meta property="og:url" content="https://securityintelligence.com/posts/pixpirate-brazilian-financial-malware/" /> <meta property="og:site_name" content="Security Intelligence" /> <meta property="article:tag" content="Banking" /> <meta property="article:tag" content="Banking Malware" /> <meta property="article:tag" content="Banking Security" /> <meta property="article:tag" content="Fraud Protection" /> <meta property="article:tag" content="Malware" /> <meta property="article:tag" content="Mobile Security" /> <meta property="article:tag" content="Security Intelligence" /> <meta property="article:tag" content="threat hunting" /> <meta property="article:tag" content="Trusteer" /> <meta property="article:section" content="Banking & Finance" /> <meta property="fb:app_id" content="3703311399714818" /> <meta property="og:image" content="https://securityintelligence.com/wp-content/uploads/2024/03/PixPirate-infection-flow.png" /> <meta property="og:image:secure_url" content="https://securityintelligence.com/wp-content/uploads/2024/03/PixPirate-infection-flow.png" /> <meta name="twitter:card" content="summary" /> <meta name="twitter:description" content="Malicious software always aims to stay hidden so victims cannot detect it. PixPirate malware has taken that strategy to a new extreme." /> <meta name="twitter:title" content="PixPirate: The Brazilian financial malware you can't see, part one" /> <meta name="twitter:image" content="https://securityintelligence.com/wp-content/uploads/2024/01/smartphone-malware-concept.-3d-render.jpeg" /> <meta name="twitter:creator" content="@03" /> <script type='application/ld+json' class='yoast-schema-graph yoast-schema-graph--main'>{"@context":"https://schema.org","@graph":[{"@type":"WebSite","@id":"https://securityintelligence.com/#website","url":"https://securityintelligence.com/","name":"Security Intelligence","inLanguage":"en-US","description":"Analysis and Insight for Information Security Professionals","potentialAction":{"@type":"SearchAction","target":"https://securityintelligence.com/?s={search_term_string}","query-input":"required name=search_term_string"}},{"@type":"ImageObject","@id":"https://securityintelligence.com/posts/pixpirate-brazilian-financial-malware/#primaryimage","inLanguage":"en-US","url":"https://securityintelligence.com/wp-content/uploads/2024/01/smartphone-malware-concept.-3d-render.jpeg","width":2500,"height":1406,"caption":"A smartphone displaying a full red screen with malware warning set on a blue circuit board"},{"@type":"WebPage","@id":"https://securityintelligence.com/posts/pixpirate-brazilian-financial-malware/#webpage","url":"https://securityintelligence.com/posts/pixpirate-brazilian-financial-malware/","name":"PixPirate: The Brazilian financial malware you can't see, part one","isPartOf":{"@id":"https://securityintelligence.com/#website"},"inLanguage":"en-US","primaryImageOfPage":{"@id":"https://securityintelligence.com/posts/pixpirate-brazilian-financial-malware/#primaryimage"},"datePublished":"2024-03-13T10:00:00+00:00","dateModified":"2024-09-21T17:01:57+00:00","description":"Malicious software always aims to stay hidden so victims cannot detect it. PixPirate malware has taken that strategy to a new extreme."}]}</script>  </head> <body class="si_body" > <nav id="navigation" class="navigation navigation--homepage " aria-label="Security Intelligence"> <div class="container"> <div class="row">  <div class="navigation__brand"> <a href="https://securityintelligence.com" title="Security Intelligence" tabindex="1"> <amp-img width="280" height="31" layout="responsive" src="https://securityintelligence.com/wp-content/themes/sapphire/images/logo-white.svg" alt="Security Intelligence Logo"> <div fallback> <h6>Security Intelligence</h6> </div> </amp-img> </a> </div>  <div class="navigation__menu" onmouseleave="delete localStorage['megamenu-status']"> <a tabindex="2" id="nav-news" href="/news/" class="navigation__button " data-menu="megamenu__news" onclick="localStorage['megamenu-status'] = 'first-interaction';">News</a> <a tabindex="4" id="nav-topics" href="/category/topics/" class="navigation__button " data-menu="megamenu__topics" onclick="localStorage['megamenu-status'] = 'first-interaction';">Topics</a> <a tabindex="5" id="nav-x-force" href="/x-force/" class="navigation__button " data-menu="megamenu__threat" onclick="localStorage['megamenu-status'] = 'first-interaction';">X-Force</a> <a tabindex="6" id="nav-media" href="/media/" class="navigation__button " data-menu="megamenu__podcast" onclick="localStorage['megamenu-status'] = 'first-interaction';">Podcast</a> <button aria-label="search Button" class="navigation__search" onclick="document.getElementById('search__input').focus()" on="tap:search.toggleClass(class='megamenu__open')" role="link" tabindex="-1" type="button"> <amp-img tabindex="7" width="24" height="24" layout="responsive" src="https://securityintelligence.com/wp-content/themes/sapphire/images/search.svg" alt="Click to open the search bar"></amp-img> </button> </div>  <div id="search-tablet" class="navigation__menu navigation__menu--tablet" tabindex="-1"> <button type="button" class="navigation__button " data-menu="megamenu__news">News</button> <button type="button" class="navigation__button " data-menu="megamenu__topics" on="tap:megamenu__news.hide, megamenu__series.hide, megamenu__topics.show, megamenu__industries.hide, megamenu__threat.hide, megamenu__podcast.hide, megamenu__events.hide, megamenu__mask.show" role="link" tabindex="0">Topics</button> <button type="button" class="navigation__button " data-menu="megamenu__threat" on="tap:megamenu__news.hide, megamenu__series.hide, megamenu__topics.hide, megamenu__industries.hide, megamenu__threat.show, megamenu__podcast.hide, megamenu__events.hide, megamenu__mask.show" role="link" tabindex="0">Threat Research</button> <button type="button" class="navigation__button " data-menu="megamenu__podcast" on="tap:megamenu__news.hide, megamenu__series.hide, megamenu__topics.hide, megamenu__industries.hide, megamenu__threat.hide, megamenu__podcast.show, megamenu__events.hide, megamenu__mask.show" role="link" tabindex="0">Podcast</button> <button type="button" aria-labelledby="search-tablet" class="navigation__search" onclick="document.getElementById('search__input').focus()" on="tap:search.toggleClass(class='megamenu__open')" role="link" tabindex="0"> <amp-img width="24" height="24" layout="responsive" src="https://securityintelligence.com/wp-content/themes/sapphire/images/search.svg" alt="Search"></amp-img> </button> </div>  <form id="search" class="search " method="GET" action="/" target="_top" tabindex="-1"> <amp-autocomplete filter="prefix" src="https://securityintelligence.com/wp-content/themes/sapphire/app/jsons/suggestions.json" suggest-first submit-on-enter on="select:search.submit" tabindex="-1"> <input id="search__input" tabindex="-1" type="text" name="s" autocomplete="on" placeholder="What would you like to search for?" aria-label="Search" oninput="validateInput(this)" required> </amp-autocomplete> <button tabindex="-1" value="submit" type="submit" class="search__submit" aria-label="Click to search"> <amp-img width="20" height="20" layout="responsive" src="https://securityintelligence.com/wp-content/themes/sapphire/images/search.svg" alt="Search"></amp-img> <span>Search</span> </button> <button tabindex="-1" value="reset" class="search__close" type="reset" aria-labelledby="search" on="tap:search.toggleClass(class='megamenu__open')" role="link"> <amp-img width="14" height="14" layout="responsive" src="https://securityintelligence.com/wp-content/themes/sapphire/images/close.svg" alt="Close"></amp-img> </button> </form>  <div id="navigation__mega">  <section id="megamenu__news" class="megamenu" data-menu="nav-news" on="tap:megamenu__news.show, megamenu__mask.show" role="link" tabindex="0"> <amp-list layout="responsive" width="1440" height="248" credentials="include" src="https://securityintelligence.com/wp-content/themes/sapphire/app/jsons/posts.php?quantity=4&type=ibm_news" binding="no"> <template type="amp-mustache"> <div class="row">  {{#articles}} <article class="megamenu__article"> <a href="{{permalink}}" class="megamenu__link"> <div class="megamenu__image"> <amp-img width="630" height="330" layout="responsive" src="{{image}}" alt="{{image_alt}}"></amp-img> </div> <h3 class="megamenu__title">{{title}}</h3> </a> </article> {{/articles}}  <a href="/news/" class="megamenu__more"> <amp-img width="24" height="24" layout="responsive" src="https://securityintelligence.com/wp-content/themes/sapphire/images/post-type-icons/news.svg" alt="News"></amp-img> <span>View All News</span> </a> </div> </template> </amp-list> </section>   <section id="megamenu__topics" class="megamenu" data-menu="nav-topics" on="tap: megamenu__topics.show, megamenu__mask.show" role="link" tabindex="0"> <div class="row">  <div class="megamenu__list"> <a href="/category/app-security/">Application Security</a> <a href="/category/artificial-intelligence/">Artificial Intelligence</a> <a href="/category/ciso-corner/">CISO</a> <a href="/category/cloud-protection/">Cloud Security</a> <a href="/category/data-protection/">Data Protection</a> <a href="/category/endpoint/">Endpoint</a> </div> <div class="megamenu__list"> <a href="/category/fraud-protection/">Fraud Protection</a> <a href="/category/identity-access/">Identity & Access</a> <a href="/category/incident-response/">Incident Response</a> <a href="/category/mainframe/">Mainframe</a> <a href="/category/network/">Network</a> <a href="/category/risk-management/">Risk Management</a> </div> <div class="megamenu__list"> <a href="/category/security-intelligence-analytics/">Intelligence & Analytics</a> <a href="/category/security-services/">Security Services</a> <a href="/category/threat-hunting/">Threat Hunting</a> <a href="/category/topics/zero-trust/">Zero Trust</a> <a href="/infographic-zero-trust-policy/">Infographic: Zero trust policy</a> </div> <div class="megamenu__list"> <span>Industries</span> <a href="/category/banking-financial-services-industry/">Banking & Finance</a> <a href="/category/energy-utility-industry/">Energy & Utility</a> <a href="/category/government/">Government</a> <a href="/category/health-care-industry/">Healthcare</a> </div>  <a href="/category/topics/" class="megamenu__more"> <amp-img width="24" height="24" layout="responsive" src="https://securityintelligence.com/wp-content/themes/sapphire/images/post-type-icons/topics.svg" alt="Topics"></amp-img> <span>View All Topics</span> </a> </div> </section>  <section id="megamenu__threat" class="megamenu" data-menu="nav-x-force" on="tap:megamenu__threat.show, megamenu__mask.show" role="link" tabindex="0"> <amp-list layout="responsive" width="1440" height="248" credentials="include" src="https://securityintelligence.com/wp-content/themes/sapphire/app/jsons/posts.php?quantity=4&category=x-force" binding="no"> <template type="amp-mustache"> <div class="row">  {{#articles}} <article class="megamenu__article"> <a href="{{permalink}}" class="megamenu__link"> <div class="megamenu__image"> <amp-img width="630" height="330" layout="responsive" src="{{image}}" alt="{{image_alt}}"></amp-img> </div> <h3 class="megamenu__title">{{title}}</h3> </a> </article> {{/articles}}  <a href="/x-force/" class="megamenu__more"> <amp-img width="24" height="24" layout="responsive" src="https://securityintelligence.com/wp-content/themes/sapphire/images/post-type-icons/threat-research.svg" alt="Threat Research"></amp-img> <span>View More From X-Force</span> </a> </div> </template> </amp-list> </section>  <section id="megamenu__podcast" class="megamenu" data-menu="nav-media" on="tap:megamenu__podcast.show, megamenu__mask.show" role="link" tabindex="0"> <amp-list layout="responsive" width="1440" height="248" credentials="include" src="https://securityintelligence.com/wp-content/themes/sapphire/app/jsons/posts.php?quantity=4&type=ibm_media" binding="no"> <template type="amp-mustache"> <div class="row">  {{#articles}} <article class="megamenu__article"> <a href="{{permalink}}" class="megamenu__link"> <div class="megamenu__image"> <amp-img width="630" height="330" layout="responsive" src="{{image}}" alt="{{image_alt}}"></amp-img> </div> <h3 class="megamenu__title">{{title}}</h3> </a> </article> {{/articles}}  <a href="/media/" class="megamenu__more"> <amp-img width="24" height="24" layout="responsive" src="https://securityintelligence.com/wp-content/themes/sapphire/images/post-type-icons/podcast.svg" alt="Podcast"></amp-img> <span>View All Episodes</span> </a> </div> </template> </amp-list> </section> </div>  <div id="megamenu__mask" class="navigation__mask " hidden></div>  <script type="text/javascript"> function validateInput(inputElement) { // Regular expression to allow only letters (both uppercase and lowercase) and numbers var regex = /^[A-Za-z0-9 ]*$/; // Get the current value of the input field var inputValue = inputElement.value; // Check if the input value matches the allowed pattern if (!regex.test(inputValue)) { // If the input contains special characters, remove them inputElement.value = inputValue.replace(/[^A-Za-z0-9 ]/g, ''); } } // DESKTOP MENU LINKS - HOVER ACTION var elementList = document.querySelectorAll('.navigation__menu .navigation__button'); for (i = 0; i < elementList.length; i++) { elementList[i].addEventListener('mouseenter', function() { if (localStorage['megamenu-status'] !== 'first-interaction') { var mega = document.getElementById("navigation__mega"); var menu_elements = document.getElementById(this.dataset.menu); var mask = document.getElementById("megamenu__mask"); menu_elements.click(); mega.classList.add('amp-open'); menu_elements.classList.add('amp-open'); mask.classList.add('amp-open'); } }); elementList[i].addEventListener('mouseleave', function() { if (localStorage['megamenu-status'] !== 'first-interaction') { var mega = document.getElementById("navigation__mega"); var menu_elements = document.getElementById(this.dataset.menu); var mask = document.getElementById("megamenu__mask"); mega.classList.remove('amp-open'); menu_elements.classList.remove('amp-open'); mask.classList.remove('amp-open'); } }); } // TABLET MENU LINKS - CLICK ACTION var elementList = document.querySelectorAll('.navigation__menu--tablet .navigation__button'); for (i = 0; i < elementList.length; i++) { elementList[i].addEventListener('click', function() { var mega = document.getElementById("navigation__mega"); var menu_elements = document.getElementById(this.dataset.menu); var mask = document.getElementById("megamenu__mask"); menu_elements.click(); mega.classList.add('amp-open'); menu_elements.classList.add('amp-open'); mask.classList.add('amp-open'); }); } // OPPENED MEGAMENU - HOVER ACTION var elementList = document.querySelectorAll('.megamenu'); for (i = 0; i < elementList.length; i++) { elementList[i].addEventListener('mouseenter', function() { var mega = document.getElementById("navigation__mega"); var nav_elements = document.getElementById(this.dataset.menu); var mask = document.getElementById("megamenu__mask"); this.classList.add('amp-open'); mega.classList.add('amp-open'); mask.classList.add('amp-open'); nav_elements.classList.add('amp-open'); }); elementList[i].addEventListener('mouseleave', function() { var mega = document.getElementById("navigation__mega"); var nav_elements = document.getElementById(this.dataset.menu); var mask = document.getElementById("megamenu__mask"); this.classList.remove('amp-open'); mega.classList.remove('amp-open'); mask.classList.remove('amp-open'); nav_elements.classList.remove('amp-open'); }); } </script>  <button type="button" aria-labelledby="search-tablet" class="search__mobile__icon" onclick="document.getElementById('search__input').focus()" on="tap:search.toggleClass(class='megamenu__open')" role="link" tabindex="0"> <amp-img width="18" height="18" layout="fixed" src="https://securityintelligence.com/wp-content/themes/sapphire/images/search.svg" alt="Search"></amp-img> </button> <div class="navigation__mobile-icon" on="tap:navigation__mobile.toggleVisibility, navigation__hamburguer.toggleVisibility, navigation__close.toggleVisibility " role="link" tabindex="0"> <amp-img id="navigation__hamburguer" width="24" height="24" layout="responsive" src="https://securityintelligence.com/wp-content/themes/sapphire/images/hamburguer.svg" alt="Menu"></amp-img> <amp-img id="navigation__close" width="24" height="24" layout="responsive" src="https://securityintelligence.com/wp-content/themes/sapphire/images/close.svg" alt="Close" hidden></amp-img> </div>  <section id="navigation__mobile" class="navigation__mobile-list" hidden> <div class="container"> <a href="/news/">News</a>  <amp-accordion disable-session-states>  <section class="navigation__accordion"> <h2>Topics</h2> <div class="navigation__accordion-content"> <div class="row"> <a href="/category/topics/">All Categories</a> <a href="/category/app-security/">Application Security</a> <a href="/category/identity-access/">Identity & Access</a> <a href="/category/artificial-intelligence/">Artificial Intelligence</a> <a href="/category/incident-response/">Incident Response</a> <a href="/category/ciso-corner/">CISO</a> <a href="/category/mainframe/">Mainframe</a> <a href="/category/cloud-protection/">Cloud Security</a> <a href="/category/mobile-security-podcasts/">Mobile Security</a> <a href="/category/data-protection/">Data Protection</a> <a href="/category/network/">Network</a> <a href="/category/endpoint/">Endpoint</a> <a href="/category/risk-management/">Risk Management</a> <a href="/category/fraud-protection/">Fraud Protection</a> <a href="/category/threat-hunting/">Threat Hunting</a> <a href="/category/security-services/">Security Services</a> <a href="/category/security-intelligence-analytics/">Security Intelligence & Analytics</a> </div> <div class="row"> <span>Industries</span> <a href="/category/industries/banking-financial-services-industry/">Banking & Finance</a> <a href="/category/energy-utility-industry/">Energy & Utility</a> <a href="/category/government/">Government</a> <a href="/category/health-care-industry/">Healthcare</a> </div> </div> </section> </amp-accordion> <a href="/x-force/">X-Force</a> <a href="/media/">Podcast</a> </section> </div> </div> </nav>  <div class="scroll-to-top ">  <div id="top-viewer" class="scroll-to-top__viewer"></div>  <div class="sticky" style="height: 100%;"> <button id="scrollToTopButton" on="tap:top-viewer.scrollTo(duration=200, position=bottom)" class="tap_target "> <div class="scroll-to-top__button"> <amp-img width="12" height="16" layout="fixed" alt="Back-to-top" src="https://securityintelligence.com/wp-content/themes/sapphire/images/scroll-to-top.svg"></amp-img> </div> </button> </div>  <amp-animation id="showAnim" layout="nodisplay"> <script type="application/json"> { "duration": "200ms", "fill": "both", "iterations": "1", "direction": "alternate", "animations": [{ "selector": "#scrollToTopButton", "keyframes": [{ "opacity": "1", "visibility": "visible" }] }] } </script> </amp-animation> <amp-animation id="hideAnim" layout="nodisplay"> <script type="application/json"> { "duration": "200ms", "fill": "both", "iterations": "1", "direction": "alternate", "animations": [{ "selector": "#scrollToTopButton", "keyframes": [{ "opacity": "0", "visibility": "hidden" }] }] } </script> </amp-animation> </div>  <amp-position-observer target="top-viewer" intersection-ratios="0" on="enter:hideAnim.start; exit:showAnim.start" layout="nodisplay"></amp-position-observer>  <script id="post-schema" type="application/ld+json"> { "@context": "http://schema.org", "@type": "Article", "headline": "PixPirate: The Brazilian financial malware you can’t see", "mainEntityOfPage": "https://securityintelligence.com/posts/pixpirate-brazilian-financial-malware/", "author": { "@type": "Person", "name": "Nir Somech" }, "datePublished": "2024-03-13T06:00:00-04:00", "dateModified": "2024-09-21T13:01:57-04:00", "publisher": { "@type": "Organization", "name": "Security Intelligence", "logo":{ "@type": "ImageObject", "url": "https://securityintelligence.com/wp-content/themes/security-intelligence/assets/img/logo.png" } }, "image": [ "https://securityintelligence.com/wp-content/uploads/2024/01/smartphone-malware-concept.-3d-render-630x330.jpeg" ], "articleBody": "Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this malware attacking banks in Brazil. <h2>A hidden threat</h2> Within IBM Trusteer, we saw several different techniques to hide malware from its victims. Most banking malware conceals its existence on the mobile device by hiding its launcher icon from the victim using the SetComponentEnabeldSetting application programming interface (API). However, since Android 10, that technique no longer works due to new restrictions imposed by Google. To address this new challenge, PixPirate introduced a new technique to hide its icon that we have never seen financial malware use before. Thanks to this new technique, during PixPirate reconnaissance and attack phases, the victim remains oblivious to the malicious operations that this malware performs in the background. PixPirate abuses the accessibility service to gain RAT capabilities, monitor the victim’s activities and steal the victim’s online banking credentials, credit card details and login information of all targeted accounts. If two-factor authentication (2FA) is needed to complete the fraudulent transaction, the malware can also access, edit and delete the victim’s SMS messages, including any messages the bank sends. PixPirate uses modern capabilities and poses a serious threat to its victims. Here is a short list of PixPirate’s main malicious capabilities: <ul> <li>Manipulating and controlling other applications</li> <li>Keylogging</li> <li>Collecting a list of apps installed on the device</li> <li>Installing and removing apps from the infected device</li> <li>Locking and unlocking device screen</li> <li>Accessing registered phone accounts</li> <li>Accessing contact list and ongoing calls</li> <li>Pinpointing device location</li> <li>Anti-virtual machine (VM) and anti-debug capabilities</li> <li>Persistence after reboot</li> <li>Spreading through WhatsApp</li> <li>Reading, editing and deleting SMS messages</li> <li>Anti-removal and disabling Google Play Protect</li> </ul> Thanks to its RAT capabilities, PixPirate can perform on-device fraud (ODF) and execute the fraud from the victim’s device to avoid detection by the bank’s security and fraud detection systems. <h2>PixPirate infection flow</h2> Most financial malware comprises one main Android Package (APK) file. This is not the case for PixPirate, which is built of two components: a downloader APK and the droppee APK. The use of a downloader app as part of a financial attack is not new; however, unlike most financial malware today that uses a downloader as a service, both the droppee and the downloader for PixPirate were created by the same actor. In addition, the PixPirate downloader role in the infection flow of the malware is different from other financial malware. Usually, the downloader is used to download and install the dropped, and from this point on, the droppee is the main actor conducting all fraudulent operations and the downloader is irrelevant. In the case of PixPirate, the downloader is responsible not only for downloading and installing the droppee but also for running and executing it. The downloader plays an active part in the malicious activities of the droppee as they communicate with each other and send commands to execute. Usually, victims get infected with PixPirate by downloading the PixPirate downloader from a malicious link sent to them through WhatsApp or an SMS phishing (smishing) message. This message convinces the victim to download the downloader, which impersonates a legitimate authentication app associated with the bank. Once the victim launches the downloader, it asks the victim to install an updated version of itself, which is, in fact, the actual PixPirate malware (the droppee). After the victim approves this update, the downloader either installs the droppee embedded in its APK or downloads it directly from the PixPirate command and control (C2) server. If the droppee is embedded in the downloader’s APK file, it is encrypted and encoded in the downloader “/assets/” folder, masquerading as a jpeg file to lower suspicion. Next, the downloader sends a command to the PixPirate droppee to activate and execute it. On the first run, the droppee prompts the victim to allow its accessibility service to run. In the next stage, PixPirate abuses the accessibility service to grant itself all the necessary permissions it needs to run and successfully perform financial fraud. After the malware gets all the necessary permissions it needs to run, it collects some information and data regarding the infected device to decide if this is a legitimate device and a good candidate for fraud (anti-VM/anti-emulator, which bank apps are installed on the device and so on) and then sends all this data to the PixPirate C2. <a href="https://securityintelligence.com/wp-content/uploads/2024/03/PixPirate-infection-flow.png"><img class="alignnone size-full wp-image-447304" src="https://securityintelligence.com/wp-content/uploads/2024/03/PixPirate-infection-flow.png" alt="Flow chart depicting the PixPirate infection flow" width="2326" height="534" /></a> <h2>New hiding technique in the wild</h2> Malware has always tried to hide and conceal itself from its intended victim. The most obvious and effective way is to hide the launcher icon of the malicious APK because most users do not look at the app settings screen to check which apps are installed, so they won’t notice the malicious app and will not try to remove it. Traditionally, financial malware hides the launcher icon using the “SetComponentEnabledSetting” API. This technique does not require any permission to be granted by the victim. However, from Android 10, this technique became ineffective for malware and could not be used anymore. We will explain how the technique works using the FakeChat malware that also uses this technique. The malware declares in the manifest the MainActivity that will be executed once the victim launches it by pressing its icon on the home screen of the mobile device. In the following image, we can see in the <a href="https://securityintelligence.com/posts/story-of-fakechat-malware/">FakeChat</a> manifest the malware’s app tag and the path of the app icon in the icon value. Also, the manifest contains the MainActivity with the name “com.eg.android.AlipayGphone.MainActivity” with the action “android.intent.action.Main” and the category “android.intent.category.LANUCHER.” This activity will be run and executed once the user presses the app’s icon and launches the app. <img src="https://images-cdn.welcomesoftware.com/Zz00MzFhOTVlZTczMWYxMWVlYWY4MDY2MGJhMDJjOWRhNw==" alt="MainActivity of FakeChat malware and icon’s path" width="931" height="141" /> In the first run of the malware, it makes the launcher icon disappear by calling the Android API “SetComponentEnabledSetting” with the following parameters: <ul> <li>ComponentName: the component that represents the MainActivity related to the icon for launching the app.</li> <li>NewState: the new state of the component. In this case, the malware specifies the state “COMPONENT_ENABLED_STATE_DISABLED” to disable and hide the APK icon.</li> <li>Flags (optional): Value is either 0 or a combination of <a href="https://developer.android.com/reference/android/content/pm/PackageManager#DONT_KILL_APP">DONT_KILL_APP</a> and <a href="https://developer.android.com/reference/android/content/pm/PackageManager#SYNCHRONOUS">SYNCHRONOUS</a>.</li> </ul> In the following image, we can see how it is done programmatically: <img class="" src="https://images-cdn.welcomesoftware.com/Zz00MzA5YWJiMjczMWYxMWVlODU2MTdhYWE2ZDUyZWQwNg==" alt="FakeChat call to SetComponenetEnabledSetting API" width="857" height="54" /> From Android 10, all app icons are visible in the launcher unless it is a system app or it does not ask for any permission at all (<a href="https://developer.android.com/reference/android/content/pm/LauncherApps#getActivityList(java.lang.String,%20android.os.UserHandle)">look at the documentation</a> <a href="https://stackoverflow.com/questions/19114439/android-hide-unhide-app-icon-programmatically">and the guide</a>). Those limitations made this technique irrelevant for malware from Android 10 and later. Therefore, malware could no longer hide its launcher icon and its existence. <h2>PixPirate’s new innovative hiding technique</h2> When examining PixPirate, IBM Trusteer detected a new technique to achieve the same goal that works in all Android versions to date. To accomplish the goal of hiding malware from the victim, the PixPirate droppee does not have a main activity; that is, it does not have an activity with the action “android.intent.action.MAIN” and category “android.intent.category.LANUCHER.” This change in behavior means that the app’s icon does not exist on the home screen of the victim’s device at all. However, this also presents a new problem. If the droppee’s icon does not exist on the victim’s home screen, how will the victim launch the app in the first place? The new technique requires the malware to have two applications: in this case, the downloader and the droppee that operate together. The downloader is the app that runs. The downloader then runs the droppee, which would not be executed otherwise since its icon does not exist. <h2>How the droppee runs</h2> So, how does the droppee run? PixPirate built a mechanism that triggers the droppee to run when different events occur on the device. In the following image, we can see the service used to launch the droppee replacing the activity (“MainActivity”) used in other apps and APKs. The service is exported and can be run by other processes running on the device. This service has a custom-made action triggered by binding to this specific service. The downloader uses this to create and bind to this service and run the droppee every time it is required. <img src="https://images-cdn.welcomesoftware.com/Zz00MzBjMzM3ODczMWYxMWVlYWZiZmZhZjYzOTc4ZWE4NQ==" alt="PixPirate droppee service that is triggered by the downloader" width="861" height="90" /> The method works as follows: <ul> <li>The droppee has a service called “com.companian.date.sepherd” exported and holds an intent-filter with the custom action “com.ticket.stage.Service.”</li> <li>When the downloader wants to run the droppee, it creates and binds to this droppee service using the API “BindService” with the flag “BIND_AUTO_CREATE” that creates and runs the droppee service.</li> <li>After the creation and binding of the droppee service, the droppee APK is launched and starts to operate.</li> </ul> The BindService API has the following parameters: <ul> <li>The service intent “com.ticket.stage.Service”</li> <li>The flag “BIND_AUTO_CREATE” (0x01) that creates and binds to the service (if the service does not exist)</li> <li>ServiceConnection object that connects to the droppee service and consists of an interface to monitor the state of the application service</li> </ul> In this way, the downloader succeeds in triggering the droppee to run. The ServiceConnection object is used as an interface to maintain communications between the downloader and the droppee and allows them to send messages between themselves and communicate through this interface. In the following image, we see the code from the downloader APK that creates and binds to the exported service of the droppee APK, which we saw in the previous image, to trigger the droppee to run and send it commands to execute. <img src="https://images-cdn.welcomesoftware.com/Zz00MzE0MjZmMDczMWYxMWVlYmYyOGVlMmRkMGJhNjg3Nw==" alt="PixPirate downloader code for triggering the droppee to run" width="687" height="184" /> This code <a>must run </a>at the first running and execution of the droppee, just after the downloader installs the droppee. Later, to maintain persistence, the droppee is also triggered to run by the different receivers that it registered. The receivers are set to be activated based on different events that occur in the system and not necessarily by the downloader that initially triggered the droppee to run. This technique allows the PixPirate droppee to run and hide its existence even if the victim removes the PixPirate downloader from their device. PixPirate malware is the first financial malware observed by IBM Trusteer researchers that uses this technique to hide itself and its launcher icon so that victims won’t notice that malware is installed and running on the device. <h2>Fraud modus operandi</h2> PixPirate campaigns mostly target customers of banks in Brazil. It mainly attacks the Brazilian payment service called Pix, the standard instant payment platform in Brazil. Most of the banks in Brazil implement the Pix API to support Pix transactions from within the banking app itself. <strong>What is Pix?</strong> <a href="https://www.bcb.gov.br/en/financialstability/pix_en">Pix</a> is an instant payment platform that enables the quick execution of payments and transfers between bank accounts. Customers receive a Pix string or QR code that contains the amount to pay for services or goods to complete a transaction. Then, customers pay the Pix payment using their bank apps or through internet banking. They can pay or transfer money using Pix through their banking app. The Pix payment service launched in November 2020 was heavily adopted by users and businesses in Brazil and broke records in the number of users, financial transactions, and volumes. In the following graph, we can see the number of Pix transactions (in thousands). In March 2023, it reached 3 billion transactions in a single month. <img src="https://images-cdn.welcomesoftware.com/Zz00MzQ1ZjAwNDczMWYxMWVlOTk0ZTc2OTZiZjQ1NTUzYQ==" alt="Pix monthly number of transactions" width="1073" height="428" /> Financial transaction volume reached 1,250,000,000,000 Brazilian reals in March 2023, which is about $250 billion. By May 2023, the number of Pix users reached 140 million. <strong>Pix fraud MO</strong> PixPirate Pix fraud occurs by initiating a new Pix transaction from the victim to the fraudster’s Pix account or by changing the Pix details of the receiver of a legitimate Pix transaction initiated by the victim to the fraudster’s Pix details. Technically, Pix fraud is performed thanks to PixPirate RAT capabilities gained by abusing the Android accessibility service. The malware monitors the victim’s activities on the device and waits for the user to launch a targeted banking application. On each accessibility event, it checks the type of event that occurred. If the event type is “TYPE_WINDOW_STATE_CHANGED,” it retrieves the name of the package of the app from the window. If the app is in the target list, the malware can start its malicious activities. When the victim launches their bank app, the malware grabs and collects the user credentials and account info while the user enters their credentials to log in. The malware sends the stolen info and credentials to the attacker’s C2 server. The victim is not aware that the malware is stealing credentials as everything seems legitimate, as the malware hides itself and operates in the background. When the malware decides to carry out the fraud, it pops up a new screen on top of the current screen of the device that hides the malware’s malicious activities from the victim. The malware launches the bank app (if it’s not running yet) and goes to the Pix page by pressing the app buttons programmatically. Once on the Pix transfer/payment page, the malware executes the Pix money transfer. In the following image, we can see the different functions the malware calls to enter the relevant details and execute the money transfer (Pix details, amount, password and so on). <img src="https://images-cdn.welcomesoftware.com/Zz00MzFhZTFjYTczMWYxMWVlOWM0ZWY2MzA5NzJjYjU0MQ==" alt="PixPirate functions" width="403" height="150" /> The main function responsible for the fraud is “strictPay_js.action.transfer,” which automatically executes the fraud. First, it calls SendPageNode(1) with the argument “1”. This function navigates to the Pix page in the banking application. The next function is sendBalance(), which consists of three subfunctions: <ul> <li><strong>inputPix()</strong>: Enters the Pix details for executing the Pix money transfer</li> <li><strong>continue2Password()</strong>: The malware enters the stolen victim’s credentials</li> <li><strong>waitUntilPassword()</strong>: Waits until the Pix money transfer is completed and validates that it was successfully executed</li> </ul> The same technique is used by PixPirate for the second Pix attack MO of intercepting the victim operations and changing the Pix details while the victim transfers the money without the victim knowing. PixPirate can manipulate both the target account and the Pix transaction amount. If 2FA is needed as part of the banking flow, the malware can also intercept SMS messages that the user receives from the bank. <h2>Automatic fraud capabilities</h2> PixPirate fraud occurs automatically, as this malware contains code for all the different activities that are required to complete Pix fraud — log in, enter Pix details, enter credentials, confirm and more. PixPirate is not only an automated attack tool, but it also has the capability of becoming a manually operated remote control attack tool. This capability is probably implemented to manually execute fraud if the automatic fraud execution flows fail because the user interface of the banking app changes or if a new lucrative target presents itself. The manual fraud is initiated by popping up an overlay screen on the victim’s device and disabling the user control on the infected device to hide the fraudster's activities in the background. Next, the malware connects to the C2 and receives commands from the fraudster to be executed. This remote-control capability gives the fraudster control of the victim’s device, including accessing private information and manipulating applications on the victim’s device. <h2>Stay up to date on PixPirate’s capabilities</h2> With nuanced methods of staying hidden and the capacity for serious harm, PixPirate presents a troubling new threat on the malware playing field. We will discuss more on PixPirate’s functionality, capabilities and commands it can receive from the C2 server in part two of our PixPirate blog. PixPirate IOCs: <strong>Downloader</strong>: 019a5c8c724e490df29020c1854c5b015413c9f39af640f7b34190fd4c989e81 <strong>Droppee</strong>: 9360f2ee1db89f9bac13f8de427a7b89c24919361dcd004c40c95859c8ce6a79" } </script>  <script id="post-schema" type="application/ld+json"> { "@context": "https://schema.org", "@type": "BreadcrumbList", "itemListElement": [ { "@type": "ListItem", "position": 1, "name": "Home", "item": "https://securityintelligence.com/" }, ] } </script> <div id="progressbar"> <amp-animation id="progress-animation" layout="nodisplay"> <script type="application/json"> { "duration": "1s", "iterations": "1", "fill": "both", "direction": "alternate", "animations": [{ "selector": "#progressbar", "keyframes": [{ "transform": "translateX(0)" }] }] } </script> </amp-animation> </div> <amp-position-observer target="post__content" intersection-ratios="0" viewport-margins="25vh 75vh" on="scroll:progress-animation.seekTo(percent=event.percent)" layout="nodisplay"></amp-position-observer> <div class="dark_background" style="background:black;"></div> <div class="container grid" style="background:black;">  <aside class="breadcrumbs "> <h1 class="breadcrumbs__page_title">PixPirate: The Brazilian financial malware you can’t see</h1> </aside> </div> <div class="container grid hero_background "> <div class="grid__content post "> <div class="post__thumbnail"> <amp-img alt="A smartphone displaying a full red screen with malware warning set on a blue circuit board" width="1200" height="630" layout="responsive" src="/wp-content/webp-express/webp-images/doc-root/wp-content/uploads/2024/01/smartphone-malware-concept.-3d-render-630x330.jpeg.webp" srcset="/wp-content/webp-express/webp-images/doc-root/wp-content/uploads/2024/01/smartphone-malware-concept.-3d-render-300x158.jpeg.webp 300w, /wp-content/webp-express/webp-images/doc-root/wp-content/uploads/2024/01/smartphone-malware-concept.-3d-render-630x330.jpeg.webp 630w, /wp-content/webp-express/webp-images/doc-root/wp-content/uploads/2024/01/smartphone-malware-concept.-3d-render-1200x630.jpeg.webp 1200w, /wp-content/webp-express/webp-images/doc-root/wp-content/uploads/2024/01/smartphone-malware-concept.-3d-render-2400x1260.jpeg.webp 2400w"> <amp-img fallback alt="A smartphone displaying a full red screen with malware warning set on a blue circuit board" width="1200" height="630" layout="responsive" src="https://securityintelligence.com/wp-content/uploads/2024/01/smartphone-malware-concept.-3d-render-630x330.jpeg" srcset="https://securityintelligence.com/wp-content/uploads/2024/01/smartphone-malware-concept.-3d-render-300x158.jpeg 300w, https://securityintelligence.com/wp-content/uploads/2024/01/smartphone-malware-concept.-3d-render-630x330.jpeg 630w, https://securityintelligence.com/wp-content/uploads/2024/01/smartphone-malware-concept.-3d-render-1200x630.jpeg 1200w, https://securityintelligence.com/wp-content/uploads/2024/01/smartphone-malware-concept.-3d-render-2400x1260.jpeg 2400w"> </amp-img> </amp-img> </div> <div class="new_categoy"> <div class="category-container"> <div class="category"> <div class="theme"> <div class="form-check form-switch"> <div class="link-container"> <a href="#" class="theme-link" id="light-theme-link">Light</a> <a href="#" class="theme-link" id="dark-theme-link">Dark</a> </div> </div> </div> <hr class="separator"> <div class="author_date"> <div class="information"> <span class="date">March 13, 2024</span> <span class="author_category">By <a href="https://securityintelligence.com/author/nir-somech/" >Nir Somech</a> </span> <span class="author_category"><span class="span-reading-time rt-reading-time"><span class="rt-label rt-prefix"></span> <span class="rt-time"> 10</span> <span class="rt-label rt-postfix">min read</span></span></span> </div> </div> <hr class="separator"> <div class="title"> <a href="https://securityintelligence.com/category/topics/banking-financial-services-industry/"><span class="name_category">Banking & Finance<br> <a href="https://securityintelligence.com/category/topics/app-security/"><span class="name_other_category">Application Security<br> <a href="https://securityintelligence.com/category/topics/fraud-protection/"><span class="name_other_category">Fraud Protection<br> </span></a> </div> <div class="social-container" style="visibility: hidden;"> <hr class="separator"> <div class="social">  <a href="https://twitter.com/intent/tweet?text=PixPirate: The Brazilian financial malware you can’t see&url=https://securityintelligence.com/posts/pixpirate-brazilian-financial-malware/" target="_blank" rel="noopener noreferrer"><amp-img class="arrow" layout="fixed" height="26" width="26" src="https://securityintelligence.com/wp-content/themes/sapphire/images/social-icons/twitter.svg" alt="twitter"></amp-img></a> <a href="https://www.linkedin.com/shareArticle?url=https://securityintelligence.com/posts/pixpirate-brazilian-financial-malware/" target="_blank" rel="noopener noreferrer"><amp-img class="arrow" layout="fixed" height="26" width="26" src="https://securityintelligence.com/wp-content/themes/sapphire/images/social-icons/linkedin.svg" alt="Linkedin" ></amp-img></a> <a href="https://www.facebook.com/sharer/sharer.php?u=https://securityintelligence.com/posts/pixpirate-brazilian-financial-malware/" target="_blank" rel="noopener noreferrer"><amp-img class="arrow" layout="fixed" height="26" width="26" src="https://securityintelligence.com/wp-content/themes/sapphire/images/social-icons/facebook.svg" alt="facebook"></amp-img></a> <a href="https://securityintelligence.com/posts/pixpirate-brazilian-financial-malware/" target="_blank" rel="noopener noreferrer"><amp-img class="arrow" layout="fixed" height="26" width="26" src="https://securityintelligence.com/wp-content/themes/sapphire/images/social-icons/link.svg" alt="An arrow pointing up"></amp-img></a> </div> </div> </div> <script> window.addEventListener('scroll', function() { var category = document.querySelector('.category'); var scrollPosition = window.scrollY; if (scrollPosition >= 0) { category.classList.add('sticky'); } else { category.classList.remove('sticky'); } }); // Function to set the light theme function setLightTheme(event, toSaveLocalStorage = true) { event.preventDefault(); const body = document.body; body.classList.remove('dark-theme'); // Save the user's theme preference in localStorage if (toSaveLocalStorage && !location.href.includes("/x-force/")) { setSiTheme('light'); } } // Function to set the dark theme function setDarkTheme(event, toSaveLocalStorage = true) { event.preventDefault(); const body = document.body; body.classList.add('dark-theme'); // Save the user's theme preference in localStorage if (toSaveLocalStorage && !location.href.includes("/x-force/")) { setSiTheme('dark'); } } // Add click event listeners to the theme links document.getElementById('light-theme-link').addEventListener('click', (event) => setLightTheme(event)); document.getElementById('dark-theme-link').addEventListener('click', (event) => setDarkTheme(event)); // Check localStorage to set the initial theme preference const themePreference = localStorage.getItem('si-theme-mode'); // Function to simulate a click event function simulateClick(handler, toSaveLocalStorage) { const event = new Event('click'); handler(event, toSaveLocalStorage); } // Apply the correct theme based on URL and preference if (location.href.includes("/x-force/")) { simulateClick(setDarkTheme, false); // Apply the dark theme for all x-force posts } else if (themePreference === 'dark') { simulateClick(setDarkTheme, true); // Apply the dark theme based on user preference } else if (themePreference === 'light') { simulateClick(setLightTheme, true); // Apply the light theme based on user preference (default) } else { simulateClick(setLightTheme, true); // Apply the light theme by default } </script> <script> const cookies = JSON.parse(localStorage.getItem("truste.eu.cookie.notice_preferences")); if (cookies && cookies.value === '2:') { document.querySelector('.social-container').style.visibility = 'visible'; } </script> </div> <main class="post__content post__content--continue_reading" id="post__content"> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd"> <html><body><p>Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme.</p> <p>PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this malware attacking banks in Brazil.</p> <h2>A hidden threat</h2> <p>Within IBM Trusteer, we saw several different techniques to hide malware from its victims. Most banking malware conceals its existence on the mobile device by hiding its launcher icon from the victim using the SetComponentEnabeldSetting application programming interface (API). However, since Android 10, that technique no longer works due to new restrictions imposed by Google.</p> <p>To address this new challenge, PixPirate introduced a new technique to hide its icon that we have never seen financial malware use before. Thanks to this new technique, during PixPirate reconnaissance and attack phases, the victim remains oblivious to the malicious operations that this malware performs in the background.</p> <p>PixPirate abuses the accessibility service to gain RAT capabilities, monitor the victim’s activities and steal the victim’s online banking credentials, credit card details and login information of all targeted accounts. If two-factor authentication (2FA) is needed to complete the fraudulent transaction, the malware can also access, edit and delete the victim’s SMS messages, including any messages the bank sends.</p> <p>PixPirate uses modern capabilities and poses a serious threat to its victims. Here is a short list of PixPirate’s main malicious capabilities:</p> <ul> <li>Manipulating and controlling other applications</li> <li>Keylogging</li> <li>Collecting a list of apps installed on the device</li> <li>Installing and removing apps from the infected device</li> <li>Locking and unlocking device screen</li> <li>Accessing registered phone accounts</li> <li>Accessing contact list and ongoing calls</li> <li>Pinpointing device location</li> <li>Anti-virtual machine (VM) and anti-debug capabilities</li> <li>Persistence after reboot</li> <li>Spreading through WhatsApp</li> <li>Reading, editing and deleting SMS messages</li> <li>Anti-removal and disabling Google Play Protect</li> </ul> <p>Thanks to its RAT capabilities, PixPirate can perform on-device fraud (ODF) and execute the fraud from the victim’s device to avoid detection by the bank’s security and fraud detection systems.</p> <h2>PixPirate infection flow</h2> <p>Most financial malware comprises one main Android Package (APK) file. This is not the case for PixPirate, which is built of two components: a downloader APK and the droppee APK. The use of a downloader app as part of a financial attack is not new; however, unlike most financial malware today that uses a downloader as a service, both the droppee and the downloader for PixPirate were created by the same actor.</p> <p>In addition, the PixPirate downloader role in the infection flow of the malware is different from other financial malware. Usually, the downloader is used to download and install the dropped, and from this point on, the droppee is the main actor conducting all fraudulent operations and the downloader is irrelevant. In the case of PixPirate, the downloader is responsible not only for downloading and installing the droppee but also for running and executing it. The downloader plays an active part in the malicious activities of the droppee as they communicate with each other and send commands to execute.</p> <p>Usually, victims get infected with PixPirate by downloading the PixPirate downloader from a malicious link sent to them through WhatsApp or an SMS phishing (smishing) message. This message convinces the victim to download the downloader, which impersonates a legitimate authentication app associated with the bank. Once the victim launches the downloader, it asks the victim to install an updated version of itself, which is, in fact, the actual PixPirate malware (the droppee). After the victim approves this update, the downloader either installs the droppee embedded in its APK or downloads it directly from the PixPirate command and control (C2) server. If the droppee is embedded in the downloader’s APK file, it is encrypted and encoded in the downloader “/assets/” folder, masquerading as a jpeg file to lower suspicion.</p> <p>Next, the downloader sends a command to the PixPirate droppee to activate and execute it. On the first run, the droppee prompts the victim to allow its accessibility service to run. In the next stage, PixPirate abuses the accessibility service to grant itself all the necessary permissions it needs to run and successfully perform financial fraud.</p> <p>After the malware gets all the necessary permissions it needs to run, it collects some information and data regarding the infected device to decide if this is a legitimate device and a good candidate for fraud (anti-VM/anti-emulator, which bank apps are installed on the device and so on) and then sends all this data to the PixPirate C2.</p> <p><amp-img src="https://securityintelligence.com/wp-content/uploads/2024/03/PixPirate-infection-flow.png" layout="intrinsic" class="alignnone size-full wp-image-447304" alt="Flow chart depicting the PixPirate infection flow" srcset="https://securityintelligence.com/wp-content/uploads/2024/03/PixPirate-infection-flow.png 2326w, https://securityintelligence.com/wp-content/uploads/2024/03/PixPirate-infection-flow-1536x353.png 1536w, https://securityintelligence.com/wp-content/uploads/2024/03/PixPirate-infection-flow-2048x470.png 2048w" width="2326" height="534" lightbox="lightbox"></amp-img></p> <h2>New hiding technique in the wild</h2> <p>Malware has always tried to hide and conceal itself from its intended victim. The most obvious and effective way is to hide the launcher icon of the malicious APK because most users do not look at the app settings screen to check which apps are installed, so they won’t notice the malicious app and will not try to remove it.</p> <p>Traditionally, financial malware hides the launcher icon using the “SetComponentEnabledSetting” API. This technique does not require any permission to be granted by the victim. However, from Android 10, this technique became ineffective for malware and could not be used anymore. We will explain how the technique works using the FakeChat malware that also uses this technique.</p> <p>The malware declares in the manifest the MainActivity that will be executed once the victim launches it by pressing its icon on the home screen of the mobile device.</p> <p>In the following image, we can see in the <a href="https://securityintelligence.com/posts/story-of-fakechat-malware/" >FakeChat</a> manifest the malware’s app tag and the path of the app icon in the icon value. Also, the manifest contains the MainActivity with the name “com.eg.android.AlipayGphone.MainActivity” with the action “android.intent.action.Main” and the category “android.intent.category.LANUCHER.” This activity will be run and executed once the user presses the app’s icon and launches the app.</p> <p><amp-img src="https://images-cdn.welcomesoftware.com/Zz00MzFhOTVlZTczMWYxMWVlYWY4MDY2MGJhMDJjOWRhNw==" layout="intrinsic" class="" alt="MainActivity of FakeChat malware and icon’s path" width="931" height="141" lightbox="lightbox"></amp-img></p> <p>In the first run of the malware, it makes the launcher icon disappear by calling the Android API “SetComponentEnabledSetting” with the following parameters:</p> <ul> <li>ComponentName: the component that represents the MainActivity related to the icon for launching the app.</li> <li>NewState: the new state of the component. In this case, the malware specifies the state “COMPONENT_ENABLED_STATE_DISABLED” to disable and hide the APK icon.</li> <li>Flags (optional): Value is either 0 or a combination of <a href="https://developer.android.com/reference/android/content/pm/PackageManager#DONT_KILL_APP" target="_blank" rel="noopener nofollow" >DONT_KILL_APP</a> and <a href="https://developer.android.com/reference/android/content/pm/PackageManager#SYNCHRONOUS" target="_blank" rel="noopener nofollow" >SYNCHRONOUS</a>.</li> </ul> <p>In the following image, we can see how it is done programmatically:</p> <p><amp-img src="https://images-cdn.welcomesoftware.com/Zz00MzA5YWJiMjczMWYxMWVlODU2MTdhYWE2ZDUyZWQwNg==" layout="intrinsic" class="" alt="FakeChat call to SetComponenetEnabledSetting API" width="857" height="54" lightbox="lightbox"></amp-img></p> <p>From Android 10, all app icons are visible in the launcher unless it is a system app or it does not ask for any permission at all (<a href="https://developer.android.com/reference/android/content/pm/LauncherApps#getActivityList(java.lang.String,%20android.os.UserHandle)" target="_blank" rel="noopener nofollow" >look at the documentation</a> <a href="https://stackoverflow.com/questions/19114439/android-hide-unhide-app-icon-programmatically" target="_blank" rel="noopener nofollow" >and the guide</a>). Those limitations made this technique irrelevant for malware from Android 10 and later. Therefore, malware could no longer hide its launcher icon and its existence.</p> <h2>PixPirate’s new innovative hiding technique</h2> <p>When examining PixPirate, IBM Trusteer detected a new technique to achieve the same goal that works in all Android versions to date. To accomplish the goal of hiding malware from the victim, the PixPirate droppee does not have a main activity; that is, it does not have an activity with the action “android.intent.action.MAIN” and category “android.intent.category.LANUCHER.” This change in behavior means that the app’s icon does not exist on the home screen of the victim’s device at all. However, this also presents a new problem. If the droppee’s icon does not exist on the victim’s home screen, how will the victim launch the app in the first place?</p> <p>The new technique requires the malware to have two applications: in this case, the downloader and the droppee that operate together. The downloader is the app that runs. The downloader then runs the droppee, which would not be executed otherwise since its icon does not exist.</p> <h2>How the droppee runs</h2> <p>So, how does the droppee run? PixPirate built a mechanism that triggers the droppee to run when different events occur on the device.</p> <p>In the following image, we can see the service used to launch the droppee replacing the activity (“MainActivity”) used in other apps and APKs. The service is exported and can be run by other processes running on the device. This service has a custom-made action triggered by binding to this specific service. The downloader uses this to create and bind to this service and run the droppee every time it is required.</p> <p><amp-img src="https://images-cdn.welcomesoftware.com/Zz00MzBjMzM3ODczMWYxMWVlYWZiZmZhZjYzOTc4ZWE4NQ==" layout="intrinsic" class="" alt="PixPirate droppee service that is triggered by the downloader" width="861" height="90" lightbox="lightbox"></amp-img></p> <p>The method works as follows:</p> <ul> <li>The droppee has a service called “com.companian.date.sepherd” exported and holds an intent-filter with the custom action “com.ticket.stage.Service.”</li> <li>When the downloader wants to run the droppee, it creates and binds to this droppee service using the API “BindService” with the flag “BIND_AUTO_CREATE” that creates and runs the droppee service.</li> <li>After the creation and binding of the droppee service, the droppee APK is launched and starts to operate.</li> </ul> <p>The BindService API has the following parameters:</p> <ul> <li>The service intent “com.ticket.stage.Service”</li> <li>The flag “BIND_AUTO_CREATE” (0x01) that creates and binds to the service (if the service does not exist)</li> <li>ServiceConnection object that connects to the droppee service and consists of an interface to monitor the state of the application service</li> </ul> <p>In this way, the downloader succeeds in triggering the droppee to run. The ServiceConnection object is used as an interface to maintain communications between the downloader and the droppee and allows them to send messages between themselves and communicate through this interface.</p> <p>In the following image, we see the code from the downloader APK that creates and binds to the exported service of the droppee APK, which we saw in the previous image, to trigger the droppee to run and send it commands to execute.</p> <p><amp-img src="https://images-cdn.welcomesoftware.com/Zz00MzE0MjZmMDczMWYxMWVlYmYyOGVlMmRkMGJhNjg3Nw==" layout="intrinsic" class="" alt="PixPirate downloader code for triggering the droppee to run" width="687" height="184" lightbox="lightbox"></amp-img></p> <p>This code <a >must run </a>at the first running and execution of the droppee, just after the downloader installs the droppee. Later, to maintain persistence, the droppee is also triggered to run by the different receivers that it registered. The receivers are set to be activated based on different events that occur in the system and not necessarily by the downloader that initially triggered the droppee to run.</p> <p>This technique allows the PixPirate droppee to run and hide its existence even if the victim removes the PixPirate downloader from their device. PixPirate malware is the first financial malware observed by IBM Trusteer researchers that uses this technique to hide itself and its launcher icon so that victims won’t notice that malware is installed and running on the device.</p> <h2>Fraud modus operandi</h2> <p>PixPirate campaigns mostly target customers of banks in Brazil. It mainly attacks the Brazilian payment service called Pix, the standard instant payment platform in Brazil. Most of the banks in Brazil implement the Pix API to support Pix transactions from within the banking app itself.</p> <p><strong>What is Pix?</strong></p> <p><a href="https://www.bcb.gov.br/en/financialstability/pix_en" target="_blank" rel="noopener nofollow" >Pix</a> is an instant payment platform that enables the quick execution of payments and transfers between bank accounts. Customers receive a Pix string or QR code that contains the amount to pay for services or goods to complete a transaction. Then, customers pay the Pix payment using their bank apps or through internet banking. They can pay or transfer money using Pix through their banking app.</p> <p>The Pix payment service launched in November 2020 was heavily adopted by users and businesses in Brazil and broke records in the number of users, financial transactions, and volumes. In the following graph, we can see the number of Pix transactions (in thousands). In March 2023, it reached 3 billion transactions in a single month.</p> <p><amp-img src="https://images-cdn.welcomesoftware.com/Zz00MzQ1ZjAwNDczMWYxMWVlOTk0ZTc2OTZiZjQ1NTUzYQ==" layout="intrinsic" class="" alt="Pix monthly number of transactions" width="1073" height="428" lightbox="lightbox"></amp-img></p> <p>Financial transaction volume reached 1,250,000,000,000 Brazilian reals in March 2023, which is about $250 billion. By May 2023, the number of Pix users reached 140 million.</p> <p><strong>Pix fraud MO</strong></p> <p>PixPirate Pix fraud occurs by initiating a new Pix transaction from the victim to the fraudster’s Pix account or by changing the Pix details of the receiver of a legitimate Pix transaction initiated by the victim to the fraudster’s Pix details.</p> <p>Technically, Pix fraud is performed thanks to PixPirate RAT capabilities gained by abusing the Android accessibility service. The malware monitors the victim’s activities on the device and waits for the user to launch a targeted banking application. On each accessibility event, it checks the type of event that occurred. If the event type is “TYPE_WINDOW_STATE_CHANGED,” it retrieves the name of the package of the app from the window. If the app is in the target list, the malware can start its malicious activities.</p> <p>When the victim launches their bank app, the malware grabs and collects the user credentials and account info while the user enters their credentials to log in. The malware sends the stolen info and credentials to the attacker’s C2 server. The victim is not aware that the malware is stealing credentials as everything seems legitimate, as the malware hides itself and operates in the background.</p> <p>When the malware decides to carry out the fraud, it pops up a new screen on top of the current screen of the device that hides the malware’s malicious activities from the victim. The malware launches the bank app (if it’s not running yet) and goes to the Pix page by pressing the app buttons programmatically. Once on the Pix transfer/payment page, the malware executes the Pix money transfer.</p> <p>In the following image, we can see the different functions the malware calls to enter the relevant details and execute the money transfer (Pix details, amount, password and so on).</p> <p><amp-img src="https://images-cdn.welcomesoftware.com/Zz00MzFhZTFjYTczMWYxMWVlOWM0ZWY2MzA5NzJjYjU0MQ==" layout="intrinsic" class="" alt="PixPirate functions" width="403" height="150" lightbox="lightbox"></amp-img></p> <p>The main function responsible for the fraud is “strictPay_js.action.transfer,” which automatically executes the fraud. First, it calls SendPageNode(1) with the argument “1”. This function navigates to the Pix page in the banking application. The next function is sendBalance(), which consists of three subfunctions:</p> <ul> <li><strong>inputPix()</strong>: Enters the Pix details for executing the Pix money transfer</li> <li><strong>continue2Password()</strong>: The malware enters the stolen victim’s credentials</li> <li><strong>waitUntilPassword()</strong>: Waits until the Pix money transfer is completed and validates that it was successfully executed</li> </ul> <p>The same technique is used by PixPirate for the second Pix attack MO of intercepting the victim operations and changing the Pix details while the victim transfers the money without the victim knowing. PixPirate can manipulate both the target account and the Pix transaction amount.</p> <p>If 2FA is needed as part of the banking flow, the malware can also intercept SMS messages that the user receives from the bank.</p> <h2>Automatic fraud capabilities</h2> <p>PixPirate fraud occurs automatically, as this malware contains code for all the different activities that are required to complete Pix fraud — log in, enter Pix details, enter credentials, confirm and more. PixPirate is not only an automated attack tool, but it also has the capability of becoming a manually operated remote control attack tool. This capability is probably implemented to manually execute fraud if the automatic fraud execution flows fail because the user interface of the banking app changes or if a new lucrative target presents itself.</p> <p>The manual fraud is initiated by popping up an overlay screen on the victim’s device and disabling the user control on the infected device to hide the fraudster’s activities in the background. Next, the malware connects to the C2 and receives commands from the fraudster to be executed. This remote-control capability gives the fraudster control of the victim’s device, including accessing private information and manipulating applications on the victim’s device.</p> <h2>Stay up to date on PixPirate’s capabilities</h2> <p>With nuanced methods of staying hidden and the capacity for serious harm, PixPirate presents a troubling new threat on the malware playing field. We will discuss more on PixPirate’s functionality, capabilities and commands it can receive from the C2 server in part two of our PixPirate blog.</p> <p>PixPirate IOCs:<br> <strong>Downloader</strong>: 019a5c8c724e490df29020c1854c5b015413c9f39af640f7b34190fd4c989e81<br> <strong>Droppee</strong>: 9360f2ee1db89f9bac13f8de427a7b89c24919361dcd004c40c95859c8ce6a79</p> </body></html> <div id="nc_pixel"></div><div class="post__tags"> <a href="https://securityintelligence.com/tag/banking/" rel="tag">Banking</a><span> | </span><a href="https://securityintelligence.com/tag/banking-malware/" rel="tag">Banking Malware</a><span> | </span><a href="https://securityintelligence.com/tag/banking-security/" rel="tag">Banking Security</a><span> | </span><a href="https://securityintelligence.com/tag/fraud-protection/" rel="tag">Fraud Protection</a><span> | </span><a href="https://securityintelligence.com/tag/malware/" rel="tag">Malware</a><span> | </span><a href="https://securityintelligence.com/tag/mobile-security/" rel="tag">Mobile Security</a><span> | </span><a href="https://securityintelligence.com/tag/security-intelligence/" rel="tag">Security Intelligence</a><span> | </span><a href="https://securityintelligence.com/tag/threat-hunting/" rel="tag">threat hunting</a><span> | </span><a href="https://securityintelligence.com/tag/trusteer/" rel="tag">Trusteer</a></div> <div class="post__author author "> <div class="author__box"> <div class="author__photo" style="background-image: url(https://securityintelligence.com/wp-content/themes/sapphire/images/default-pic.jpg);"></div> <div class="author__infos"> <div class="author__name"><a href="https://securityintelligence.com/author/nir-somech/" >Nir Somech</a></div> <div class="author__role">Malware Researcher – Trusteer IBM</div> </div> </div> </div>  <style type="text/css"> .post__content--continue_reading{ max-height: 725px; overflow:hidden; transition: max-height cubic-bezier(0.9, 0, 1, 1) 2s; } @media (max-width: 768px) { .post__content--continue_reading{ max-height: 1225px; } } </style> <div class="continue_reading_wrapper" id="continue_reading"> <button on="tap: post__content.toggleClass(class=post__content--continue_reading), continue_reading.toggleClass(class=continue_reading_wrapper--clicked)" tabindex="0" role="button">Continue Reading</button> </div> </main> </div> </div> <aside class="grid__sidebar post__sidebar "> <div class="mobile_divider"></div> <header class="post__sidebar__header">POPULAR</header>  <article class="article article_grid article__mobile--card">  <a class="exclusive_article__category_link" href="https://securityintelligence.com/articles/hacking-the-mind-why-psychology-matters-to-cybersecurity/" aria-label="Hacking the mind: Why psychology matters to cybersecurity"> <div class="article__img"> <amp-img alt="Hands typing on a laptop next to a window of bright sunny day & a yellow outline of a digital brain image in the foreground" width="1200" height="630" layout="responsive" src="/wp-content/webp-express/webp-images/doc-root/wp-content/uploads/2025/02/Double-exposure-of-creative-human-brain-microcircuit-with-hand-typing-on-computer-keyboard-on-background.-Future-technology-and-AI-concept-630x330.jpeg.webp"> <amp-img fallback alt="Hands typing on a laptop next to a window of bright sunny day & a yellow outline of a digital brain image in the foreground" width="1200" height="630" layout="responsive" src="https://securityintelligence.com/wp-content/uploads/2025/02/Double-exposure-of-creative-human-brain-microcircuit-with-hand-typing-on-computer-keyboard-on-background.-Future-technology-and-AI-concept-630x330.jpeg"> </amp-img> </amp-img> </div> </a>  <div class="article__text_container" style="-webkit-box-orient: vertical;">  <a class="article__category_link" href="https://securityintelligence.com/category/topics/security-intelligence-analytics/" aria-label="https://securityintelligence.com/category/topics/security-intelligence-analytics/"> Intelligence & Analytics </a>  <span class="article__date"> February 6, 2025 </span>  <a href="https://securityintelligence.com/articles/hacking-the-mind-why-psychology-matters-to-cybersecurity/" class="article__content_link" aria-label="Hacking the mind: Why psychology matters to cybersecurity"> <h2 class="article__title">Hacking the mind: Why psychology matters to cybersecurity</h2> <p class="article__excerpt" style="-webkit-box-orient: vertical;"> <span class="article__read_time"><span class="span-reading-time rt-reading-time"><span class="rt-label rt-prefix"></span> <span class="rt-time"> 4</span> <span class="rt-label rt-postfix">min read</span></span> - </span>In cybersecurity, too often, the emphasis is placed on advanced technology meant to shield digital infrastructure from external threats. Yet, an equally crucial — and underestimated — factor lies at the heart of all digital interactions: the human mind. Behind… </p> </a> </div> </article> <article class="article article_grid article__mobile--card">  <a class="exclusive_article__category_link" href="https://securityintelligence.com/articles/how-red-teaming-helps-safeguard-the-infrastructure-behind-ai-models/" aria-label="How red teaming helps safeguard the infrastructure behind AI models"> <div class="article__img"> <amp-img alt="A woman in a red shirt sitting at a desk in an office with her back to us working on a laptop" width="1200" height="630" layout="responsive" src="/wp-content/webp-express/webp-images/doc-root/wp-content/uploads/2025/02/In-a-contemporary-office-setting-a-young-businesswoman-is-focused-on-her-laptop-displaying-dedication-and-efficiency-in-her-work-630x330.jpeg.webp"> <amp-img fallback alt="A woman in a red shirt sitting at a desk in an office with her back to us working on a laptop" width="1200" height="630" layout="responsive" src="https://securityintelligence.com/wp-content/uploads/2025/02/In-a-contemporary-office-setting-a-young-businesswoman-is-focused-on-her-laptop-displaying-dedication-and-efficiency-in-her-work-630x330.jpeg"> </amp-img> </amp-img> </div> </a>  <div class="article__text_container" style="-webkit-box-orient: vertical;">  <a class="article__category_link" href="https://securityintelligence.com/category/topics/artificial-intelligence/" aria-label="https://securityintelligence.com/category/topics/artificial-intelligence/"> Artificial Intelligence </a>  <span class="article__date"> February 13, 2025 </span>  <a href="https://securityintelligence.com/articles/how-red-teaming-helps-safeguard-the-infrastructure-behind-ai-models/" class="article__content_link" aria-label="How red teaming helps safeguard the infrastructure behind AI models"> <h2 class="article__title">How red teaming helps safeguard the infrastructure behind AI models</h2> <p class="article__excerpt" style="-webkit-box-orient: vertical;"> <span class="article__read_time"><span class="span-reading-time rt-reading-time"><span class="rt-label rt-prefix"></span> <span class="rt-time"> 4</span> <span class="rt-label rt-postfix">min read</span></span> - </span>Artificial intelligence (AI) is now squarely on the frontlines of information security. However, as is often the case when the pace of technological innovation is very rapid, security often ends up being a secondary consideration. This is increasingly evident from… </p> </a> </div> </article> <article class="article article_grid article__mobile--card">  <a class="exclusive_article__category_link" href="https://securityintelligence.com/articles/will-ai-threaten-the-role-of-human-creativity-in-cyber-threat-detection/" aria-label="Will AI threaten the role of human creativity in cyber threat detection?"> <div class="article__img"> <amp-img alt="A robot hand in bottom left corner finger pointing up to a lit lightbulb & a human hand upper right corner pointing down to same" width="1200" height="630" layout="responsive" src="/wp-content/webp-express/webp-images/doc-root/wp-content/uploads/2025/02/Creative-and-innovation-inspiration.-Business-Bright-idea-and-Artificial-Intelligence-solution-concept-630x330.jpeg.webp"> <amp-img fallback alt="A robot hand in bottom left corner finger pointing up to a lit lightbulb & a human hand upper right corner pointing down to same" width="1200" height="630" layout="responsive" src="https://securityintelligence.com/wp-content/uploads/2025/02/Creative-and-innovation-inspiration.-Business-Bright-idea-and-Artificial-Intelligence-solution-concept-630x330.jpeg"> </amp-img> </amp-img> </div> </a>  <div class="article__text_container" style="-webkit-box-orient: vertical;">  <a class="article__category_link" href="https://securityintelligence.com/category/topics/artificial-intelligence/" aria-label="https://securityintelligence.com/category/topics/artificial-intelligence/"> Artificial Intelligence </a>  <span class="article__date"> February 7, 2025 </span>  <a href="https://securityintelligence.com/articles/will-ai-threaten-the-role-of-human-creativity-in-cyber-threat-detection/" class="article__content_link" aria-label="Will AI threaten the role of human creativity in cyber threat detection?"> <h2 class="article__title">Will AI threaten the role of human creativity in cyber threat detection?</h2> <p class="article__excerpt" style="-webkit-box-orient: vertical;"> <span class="article__read_time"><span class="span-reading-time rt-reading-time"><span class="rt-label rt-prefix"></span> <span class="rt-time"> 4</span> <span class="rt-label rt-postfix">min read</span></span> - </span>Cybersecurity requires creativity and thinking outside the box. It’s why more organizations are looking at people with soft skills and coming from outside the tech industry to address the cyber skills gap. As the threat landscape becomes more complex and… </p> </a> </div> </article>  <div class="billboard_wrapper"> <a href="https://www.ibm.com/reports/data-breach?utm_medium=OSocial&utm_source=Blog&utm_content=RSRWW&utm_id=si-blog-right-rail " aria-label="A SPONSORED flag "> <amp-img layout='responsive' widht='300' height='250' src="https://securityintelligence.com/wp-content/uploads/2024/07/SIB_CODB_rightrail_banners2024-think_600x1200.png" alt="CODB right rail banner with red, blue, & purple lines in a wide circular pattern"> </amp-img> </a> </div> </aside> </div> <script> const kaltura = document.querySelectorAll("[data-widget=\"videoplayer\"]") if (kaltura != null) { kaltura.forEach(function(item){ const kId = item.id + '--' + item.dataset.videoid; document.getElementById(item.id).id = kId; getKalturaVideo(item); }) } </script> <div class="card_container_background "> <section class="container cards"> <h3>More from Banking & Finance</h3> <div class="cards__wrapper"> <article class="article article--card cards__article_grid ">  <a class="exclusive_article__category_link" href="https://securityintelligence.com/posts/black-friday-chaos-return-of-gozi-malware/"> <div class="article__img"> <amp-img alt="Digital screen with red, yellow, & orange coding in background & red triangle warning malware in foreground" width="1200" height="630" layout="responsive" src="/wp-content/webp-express/webp-images/doc-root/wp-content/uploads/2024/12/Abstract-Warning-of-a-detected-malware-program-630x330.jpeg.webp"> <amp-img fallback alt="Digital screen with red, yellow, & orange coding in background & red triangle warning malware in foreground" width="1200" height="630" layout="responsive" src="https://securityintelligence.com/wp-content/uploads/2024/12/Abstract-Warning-of-a-detected-malware-program-630x330.jpeg"> </amp-img> </amp-img> </div> </a>  <div class="article__text_container" style="-webkit-box-orient: vertical;">  <div class="article__eyebrow"> <span class="article__date"> December 19, 2024 </span> </div>  <a href="https://securityintelligence.com/posts/black-friday-chaos-return-of-gozi-malware/" class="article__content_link"> <div class="article__direction"> <h2 class="article__title"> Black Friday chaos: The return of Gozi malware </h2> <p class="article__excerpt" style="-webkit-box-orient: vertical;"> <span class="article__read_time"><span class="span-reading-time rt-reading-time"><span class="rt-label rt-prefix"></span> <span class="rt-time"> 4</span> <span class="rt-label rt-postfix">min read</span></span> - </span>On November 29th, 2024, Black Friday, shoppers flooded online stores to grab the best deals of the year. But while consumers were busy filling their carts, cyber criminals were also seizing the opportunity to exploit the shopping frenzy. Our system detected a significant surge in Gozi malware activity, targeting financial institutions across North America. The Black Friday connection Black Friday creates an ideal environment for cyber criminals to thrive. The combination of skyrocketing transaction volumes, a surge in online activity… </p> </div> </a> </div> </article> <article class="article article--card cards__article_grid ">  <a class="exclusive_article__category_link" href="https://securityintelligence.com/posts/pixpirate-back-spreading-via-whatsapp/"> <div class="article__img"> <amp-img alt="Closeup on a smartphone in man's hands being held in front of his chest and close to his face" width="1200" height="630" layout="responsive" src="/wp-content/webp-express/webp-images/doc-root/wp-content/uploads/2024/11/Close-up-of-a-smartphone-in-a-male-hands.-The-concept-of-online-messaging-social-media-communication-browsing-the-internet-websites-reading-news.-Wireless-technologies-gadgets-630x330.jpeg.webp"> <amp-img fallback alt="Closeup on a smartphone in man's hands being held in front of his chest and close to his face" width="1200" height="630" layout="responsive" src="https://securityintelligence.com/wp-content/uploads/2024/11/Close-up-of-a-smartphone-in-a-male-hands.-The-concept-of-online-messaging-social-media-communication-browsing-the-internet-websites-reading-news.-Wireless-technologies-gadgets-630x330.jpeg"> </amp-img> </amp-img> </div> </a>  <div class="article__text_container" style="-webkit-box-orient: vertical;">  <div class="article__eyebrow"> <span class="article__date"> November 26, 2024 </span> </div>  <a href="https://securityintelligence.com/posts/pixpirate-back-spreading-via-whatsapp/" class="article__content_link"> <div class="article__direction"> <h2 class="article__title"> What’s up India? PixPirate is back and spreading via WhatsApp </h2> <p class="article__excerpt" style="-webkit-box-orient: vertical;"> <span class="article__read_time"><span class="span-reading-time rt-reading-time"><span class="rt-label rt-prefix"></span> <span class="rt-time"> 8</span> <span class="rt-label rt-postfix">min read</span></span> - </span>This blog post is the continuation of a previous blog regarding PixPirate malware. If you haven’t read the initial post, please take a couple of minutes to get caught up before diving into this content. PixPirate malware consists of two components: a downloader application and a droppee application, and both are custom-made and operated by the same fraudster group. Although the traditional role of a downloader is to install the droppee on the victim device, with PixPirate, the downloader also… </p> </div> </a> </div> </article> <article class="article article--card cards__article_grid ">  <a class="exclusive_article__category_link" href="https://securityintelligence.com/posts/exploring-dora-how-to-manage-ict-incidents/"> <div class="article__img"> <amp-img alt="Man working on financials on laptop and smartphone" width="1200" height="630" layout="responsive" src="/wp-content/webp-express/webp-images/doc-root/wp-content/uploads/2024/11/Male-financial-advisor-doing-online-payment-through-smart-phone-and-using-laptop-at-cafe-630x330.jpeg.webp"> <amp-img fallback alt="Man working on financials on laptop and smartphone" width="1200" height="630" layout="responsive" src="https://securityintelligence.com/wp-content/uploads/2024/11/Male-financial-advisor-doing-online-payment-through-smart-phone-and-using-laptop-at-cafe-630x330.jpeg"> </amp-img> </amp-img> </div> </a>  <div class="article__text_container" style="-webkit-box-orient: vertical;">  <div class="article__eyebrow"> <span class="article__date"> November 7, 2024 </span> </div>  <a href="https://securityintelligence.com/posts/exploring-dora-how-to-manage-ict-incidents/" class="article__content_link"> <div class="article__direction"> <h2 class="article__title"> Exploring DORA: How to manage ICT incidents and minimize cyber threat risks </h2> <p class="article__excerpt" style="-webkit-box-orient: vertical;"> <span class="article__read_time"><span class="span-reading-time rt-reading-time"><span class="rt-label rt-prefix"></span> <span class="rt-time"> 3</span> <span class="rt-label rt-postfix">min read</span></span> - </span>As cybersecurity breaches continue to rise globally, institutions handling sensitive information are particularly vulnerable. In 2024, the average cost of a data breach in the financial sector reached $6.08 million, making it the second hardest hit after healthcare, according to IBM's 2024 Cost of a Data Breach report. This underscores the need for robust IT security regulations in critical sectors.More than just a defensive measure, compliance with security regulations helps organizations reduce risk, strengthen operational resilience and enhance customer trust.… </p> </div> </a> </div> </article> </div> </section> </div>  <script type="module" src="https://1.www.s81c.com/common/carbon-for-ibm-dotcom/version/v1.31.0-rc.0/cta-section.min.js"></script> <script type="module" src="https://1.www.s81c.com/common/carbon-for-ibm-dotcom/tag/v1/latest/cta-section.min.js"></script> <script type="module" src="https://1.www.s81c.com/common/carbon-for-ibm-dotcom/tag/v1/next/cta-section.min.js"></script> <div style="background-color: #161616;"> <dds-cta-section data-autoid="dds--cta-section" children-custom-class="" class="container SI_padding"> <dds-cta-block no-border="" data-autoid="dds--cta-block"> <dds-content-block-heading class="copy" role="heading" aria-level="2" data-autoid="dds--content-block__heading" slot="heading"> <h2 >Topic updates</h2> </dds-content-block-heading> <dds-content-block-copy data-autoid="dds--content-block__copy" size="md" slot="copy"> <dds-content-block-paragraph data-autoid="dds--content-block-paragraph" class="copy"> Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research. </dds-content-block-paragraph> <div role="list" class="list_newletter"> <dds-button-cta data-autoid="dds-cta" cta-style="button" class="copy" cta-type="local" href="https://www.ibm.com/account/reg/us-en/signup?formid=news-urx-51966" kind="primary" icon-layout="" size=""> Subscribe today </dds-button-cta> </div> </dds-content-block-copy> </dds-cta-block> </dds-cta-section> </div> <dds-footer-container></dds-footer-container> <script> document.addEventListener('DOMContentLoaded', () => { const boxstyle = document.querySelector('.button2'); const removePadding = document.querySelector('dds-cta-section'); if (boxstyle) { const shadowRoot = boxstyle.shadowRoot; const bxContentSsectionDOM = shadowRoot.querySelector('.bx--btn'); if (bxContentSsectionDOM) { bxContentSsectionDOM.style.color = 'white'; bxContentSsectionDOM.style.borderColor = 'white'; bxContentSsectionDOM.addEventListener('mouseover', () => { bxContentSsectionDOM.style.color = 'white'; bxContentSsectionDOM.style.borderColor = 'white'; bxContentSsectionDOM.style.backgroundColor = 'rgba(141, 141, 141, 0.16)'; // }); // when mouse leave the element bxContentSsectionDOM.addEventListener('mouseout', () => { bxContentSsectionDOM.style.color = 'white'; bxContentSsectionDOM.style.borderColor = 'white'; bxContentSsectionDOM.style.backgroundColor = 'transparent'; // Reset background color }); } } if(removePadding){ const shadowRoot = removePadding.shadowRoot; const removespace = shadowRoot.querySelector('.bx--content-section__leading'); if(removespace){ removespace.style.display = 'none'; } } }); document.querySelector("dds-footer-container").size = 'default'; //Uncomment this to add a custom links. // document.querySelector("dds-footer-container").adjunctLinks = [{ // 'title': 'IBM Custom Link', // 'link': 'https://ibm.com' // }, // { // 'title': 'IBM Custom Link2', // 'link': 'https://ibm.com' // } // ]; </script>  <div style="background-color: #13171a;"> <div class="container">  <section id="footer" class="footer">  <div class="footer__logo"> <amp-img width="280" height="31" layout="responsive" src="https://securityintelligence.com/wp-content/themes/sapphire/images/logo-white.svg" alt="Security Intelligence"></amp-img> </div>  <div class="footer__copy"><p>Analysis and insights from hundreds of the brightest minds in the cybersecurity industry to help you prove compliance, grow business and stop threats.</p> </div>  <div class="footer__list"> <a href="/news/" class="footer__link">Cybersecurity News</a> <a href="/category/topics/" class="footer__link">By Topic</a> <a href="/category/industries/" class="footer__link">By Industry</a> <a href="/series/" class="footer__link">Exclusive Series</a> <a href="/x-force/" class="footer__link">X-Force</a> <a href="/media/" class="footer__link">Podcast</a> <a href="/events/" class="footer__link">Events</a> <a href="/about-us/" class="footer__link">Contact</a> <a href="/about-us/" class="footer__link">About Us</a> </div>  <div class="footer__social-networks"> <div class="headline">Follow us on social</div> <a href="http://www.twitter.com/ibmsecurity" aria-label="Twitter" class="footer__icon" style="left:-4px;"> <svg xmlns="http://www.w3.org/2000/svg" width="28" height="28" viewBox="0 0 28 28" fill="#FFFFFF"> <path d="M24 4.557c-.883.392-1.832.656-2.828.775 1.017-.609 1.798-1.574 2.165-2.724-.951.564-2.005.974-3.127 1.195-.897-.957-2.178-1.555-3.594-1.555-3.179 0-5.515 2.966-4.797 6.045-4.091-.205-7.719-2.165-10.148-5.144-1.29 2.213-.669 5.108 1.523 6.574-.806-.026-1.566-.247-2.229-.616-.054 2.281 1.581 4.415 3.949 4.89-.693.188-1.452.232-2.224.084.626 1.956 2.444 3.379 4.6 3.419-2.07 1.623-4.678 2.348-7.29 2.04 2.179 1.397 4.768 2.212 7.548 2.212 9.142 0 14.307-7.721 13.995-14.646.962-.695 1.797-1.562 2.457-2.549z" /> </svg> </a> <a href="http://www.linkedin.com/company/ibm-security" aria-label="LinkedIn" class="footer__icon" style="justify-self: center;"> <svg xmlns="http://www.w3.org/2000/svg" width="28" height="28" viewBox="0 0 28 28" fill="#FFFFFF"> <path d="M4.98 3.5c0 1.381-1.11 2.5-2.48 2.5s-2.48-1.119-2.48-2.5c0-1.38 1.11-2.5 2.48-2.5s2.48 1.12 2.48 2.5zm.02 4.5h-5v16h5v-16zm7.982 0h-4.968v16h4.969v-8.399c0-4.67 6.029-5.052 6.029 0v8.399h4.988v-10.131c0-7.88-8.922-7.593-11.018-3.714v-2.155z" /> </svg> </a> <a href="https://www.youtube.com/@IBMTechnology" aria-label="YouTube" class="footer__icon" style="justify-self: end;"> <svg xmlns="http://www.w3.org/2000/svg" width="28" height="28" viewBox="0 0 28 28" fill="#FFFFFF"> <path d="M19.615 3.184c-3.604-.246-11.631-.245-15.23 0-3.897.266-4.356 2.62-4.385 8.816.029 6.185.484 8.549 4.385 8.816 3.6.245 11.626.246 15.23 0 3.897-.266 4.356-2.62 4.385-8.816-.029-6.185-.484-8.549-4.385-8.816zm-10.615 12.816v-8l8 3.993-8 4.007z" /> </svg> </a> </div> </section> </div> </div> <div style="background-color:black"> <div class="container">  <section class="utility_bar">  <div class="utility_bar__links" aria-label="Footer Navigation"> <a href="http://www.ibm.com?ce=ISM0484&ct=SWG&cmp=IBMSocial&cm=h&cr=Security&ccy=US" target="_blank" rel="noopener, noreferrer">© 2025 IBM</a> <a href="https://www.ibm.com/contact/?ce=ISM0484&ct=SWG&cmp=IBMSocial&cm=h&cr=Security&ccy=US" target="_blank" rel="noopener, noreferrer">Contact</a> <a href="https://www.ibm.com/privacy/?ce=ISM0484&ct=SWG&cmp=IBMSocial&cm=h&cr=Security&ccy=US" target="_blank" rel="noopener, noreferrer">Privacy</a> <a href="https://www.ibm.com/legal/?ce=ISM0484&ct=SWG&cmp=IBMSocial&cm=h&cr=Security&ccy=US&cm_mc_uid=03001744655915532865554&cm_mc_sid_50200000=84159441565120380187" target="_blank" rel="noopener, noreferrer">Terms of use</a> <a href="https://www.ibm.com/accessibility/?ce=ISM0484&ct=SWG&cmp=IBMSocial&cm=h&cr=Security&ccy=US" target="_blank" rel="noopener, noreferrer">Accessibility</a> <a href="#" onclick="truste.eu.clickListener();return false;" target="_blank" rel="noopener, noreferrer">Cookie Preferences</a> </div>  <div class="utility_bar__sponsor"> <a href="http://ibm.com/security?ce=ISM0484&ct=SWG&cmp=IBMSocial&cm=h&cr=Security&ccy=US" target="_blank" data-icon="B" class="icon ibm" rel="noopener, noreferrer" style="padding-right:0px"> <span>Sponsored by <svg id="Layer_1" data-name="Layer 1" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 31.97 14.06"> <defs> <style> .cls-1 { fill: #fff; } </style> </defs> <title>si-icon-eightbarfeature</title> <path class="cls-1" d="M27.17,12.6h4.21v.84H27.17Zm0-1.68h4.21v.84H27.17Zm0-1.68h2.52v.84H27.17Zm0-1.69h2.52V8.4H27.17Zm0-1.68h2.52v.84H27.17Zm-.84-4.2.28-.85h4.77v.85Zm-.56,1.68.29-.84h5.32v.84ZM25.22,5l.28-.84h4.19V5Zm-.56,1.68L25,5.87h2.22l-.27.84Zm0,6.73-.28-.84H25Zm-.55-1.68-.29-.84H25.5l-.28.84Zm-.56-1.68-.27-.84H26l-.27.84ZM23,8.4l-.29-.85h3.9l-.28.85Zm-.57-1.69-.27-.84h2.22l.28.84Zm-2.8,2.53h2.53v.84H19.63Zm0-1.69h2.53V8.4H19.63Zm0-1.68h2.53v.84H19.63Zm0-.84V4.19h4.19l.29.84ZM18,12.6h4.21v.84H18Zm0-1.68h4.21v.84H18Zm0-7.57V2.51h5.32l.28.84Zm0-1.68V.82h4.76l.29.85ZM14.16,9.24H17a2.23,2.23,0,0,1,.07.37,2.49,2.49,0,0,1,0,.47H14.16Zm0-5h2.95a2.38,2.38,0,0,1,0,.46A2.18,2.18,0,0,1,17,5H14.16ZM9.11,9.24h2.52v.84H9.11Zm0-1.69H16a5,5,0,0,1,.4.4,2,2,0,0,1,.32.45H9.11Zm0-1.68h7.57a2,2,0,0,1-.32.45,4.89,4.89,0,0,1-.4.39H9.11Zm0-1.68h2.52V5H9.11ZM7.42,12.6H16a3.09,3.09,0,0,1-1,.62,3.73,3.73,0,0,1-1.32.22H7.42Zm0-1.68H17a2.47,2.47,0,0,1-.15.46,2.24,2.24,0,0,1-.21.38H7.42Zm0-8.41h9.22a1.91,1.91,0,0,1,.21.38,2.47,2.47,0,0,1,.15.46H7.42Zm0-1.69H13.6a3.73,3.73,0,0,1,1.32.23,3.09,3.09,0,0,1,1,.62H7.42Zm-5,8.42H4.9v.84H2.38Zm0-1.69H4.9V8.4H2.38Zm0-1.68H4.9v.84H2.38Zm0-1.68H4.9V5H2.38ZM.69,12.6H6.58v.84H.69Zm0-1.68H6.58v.84H.69Zm0-8.41H6.58v.84H.69ZM.69.82H6.58v.85H.69Z" /> </svg> </span> </a> </div> </section> </div> </div> <script> window._appInfo = window._appInfo || {}; window._appInfo.newsCredAPIKey = "YXJ0aWNsZT00Mzg0NDI1YTczMWYxMWVlODkzZWEyMTUxMzYxYjM0NQ=="; </script>  <script type="text/javascript" id="qppr_frontend_scripts-js-extra"> /* <![CDATA[ */ var qpprFrontData = {"linkData":{"https:\/\/securityintelligence.com\/defining-security-intelligence\/":[0,0,"https:\/\/securityintelligence.com\/defintion-security-intelligence\/#.VS_NwpNnuZA"],"https:\/\/securityintelligence.com\/security-vulnerability-management-its-about-outcomes-not-activity\/":[0,0,""]},"siteURL":"https:\/\/securityintelligence.com","siteURLq":"https:\/\/securityintelligence.com"}; /* ]]> */ </script> <script type="text/javascript" src="https://securityintelligence.com/wp-content/plugins/quick-pagepost-redirect-plugin/js/qppr_frontend_script.min.js?ver=5.2.4" id="qppr_frontend_scripts-js"></script> <script> setTimeout(() => { document.querySelector(".related_content").style.visibility = 'visible'; document.querySelector(".related_content.article.article_grid.article__mobile--card.article--IBM_blog > c4d-card > c4d-card-footer").shadowRoot.querySelector("#link").style.justifyContent = 'flex-start'; }, 100); </script> </body> </html>

CINXE.COM

PixPirate: The Brazilian financial malware you can't see, part one