What’s up India? PixPirate is back and spreading via WhatsApp

<!doctype html> <html lang="en-US"> <head> <meta charset="UTF-8"> <link rel="shortcut icon" type="image/x-icon" href="https://securityintelligence.com/wp-content/themes/sapphire/images/favicon.ico" sizes="32x32" /> <meta name="viewport" content="width=device-width,minimum-scale=1,initial-scale=1,maximum-scale=1">  <title>What’s up India? PixPirate is back and spreading via WhatsApp</title>   <meta name="theme-color" content="#000000">  <meta name="referrer" content="no-referrer-when-downgrade"> <script src="https://1.www.s81c.com/common/stats/ibm-common.js" type="text/javascript" async="async"></script>   <script async src="https://cdn.ampproject.org/v0.js"></script> <script async custom-element="amp-list" src="https://cdn.ampproject.org/v0/amp-list-0.1.js"></script> <script async custom-template="amp-mustache" src="https://cdn.ampproject.org/v0/amp-mustache-0.2.js"></script> <script async custom-element="amp-accordion" src="https://cdn.ampproject.org/v0/amp-accordion-0.1.js"></script> <script custom-element="amp-animation" src="https://cdn.ampproject.org/v0/amp-animation-0.1.js" async></script> <script custom-element="amp-position-observer" src="https://cdn.ampproject.org/v0/amp-position-observer-0.1.js" async></script> <script async custom-element="amp-bind" src="https://cdn.ampproject.org/v0/amp-bind-0.1.js"></script> <script async custom-element="amp-autocomplete" src="https://cdn.ampproject.org/v0/amp-autocomplete-0.1.js"></script> <script async custom-element="amp-social-share" src="https://cdn.ampproject.org/v0/amp-social-share-0.1.js"></script> <script type="module" src="https://1.www.s81c.com/common/carbon-for-ibm-dotcom/version/v1.35.0/card-section-simple.min.js"></script> <script type="module" src="https://1.www.s81c.com/common/carbon-for-ibm-dotcom/tag/v1/latest/card-section-simple.min.js"></script> <script type="module" src="https://1.www.s81c.com/common/carbon-for-ibm-dotcom/tag/v1/next/card-section-simple.min.js"></script> <script type="module" src="https://1.www.s81c.com/common/carbon-for-ibm-dotcom/version/v2.11.0/card.min.js"></script> <script type="module" src="https://1.www.s81c.com/common/carbon-for-ibm-dotcom/version/v2.11.0/image.min.js"></script> <script async custom-element="amp-lightbox-gallery" src="https://cdn.ampproject.org/v0/amp-lightbox-gallery-0.1.js"></script> <script src="https://unpkg.com/swiper/swiper-bundle.min.js"></script> <script async custom-element="amp-video" src="https://cdn.ampproject.org/v0/amp-video-0.1.js"></script> <script async custom-element="amp-youtube" src="https://cdn.ampproject.org/v0/amp-youtube-0.1.js"></script> <link rel="preload" as="image" href="/wp-content/webp-express/webp-images/doc-root/wp-content/uploads/2024/11/Close-up-of-a-smartphone-in-a-male-hands.-The-concept-of-online-messaging-social-media-communication-browsing-the-internet-websites-reading-news.-Wireless-technologies-gadgets-300x158.jpeg.webp" media="(max-width: 300px)"> <link rel="preload" as="image" href="/wp-content/webp-express/webp-images/doc-root/wp-content/uploads/2024/11/Close-up-of-a-smartphone-in-a-male-hands.-The-concept-of-online-messaging-social-media-communication-browsing-the-internet-websites-reading-news.-Wireless-technologies-gadgets-630x330.jpeg.webp" media="(max-width: 1200px) and (min-width: 301px)"> <link rel="preload" as="image" href="/wp-content/webp-express/webp-images/doc-root/wp-content/uploads/2024/11/Close-up-of-a-smartphone-in-a-male-hands.-The-concept-of-online-messaging-social-media-communication-browsing-the-internet-websites-reading-news.-Wireless-technologies-gadgets.jpeg.webp" media="(max-width: 2400px) and (min-width: 631px)"> <link rel="preload" as="image" href="/wp-content/webp-express/webp-images/doc-root/wp-content/uploads/2024/11/Close-up-of-a-smartphone-in-a-male-hands.-The-concept-of-online-messaging-social-media-communication-browsing-the-internet-websites-reading-news.-Wireless-technologies-gadgets.jpeg.webp" media="(max-width: 2400px) and (min-width: 1201px)">    <script> // Digital Registry digitalData = { "page": { "category": { "primaryCategory": "Fraud Protection" }, "pageInfo": { "language": "en-US", "country": "US", "version": "custom", "effectiveDate": "2024-11-26", "publishDate": "2024-11-26", "optimizely": { "enabled": "false", }, "ibm": { "contentDelivery": "WordPress", "contentProducer": "Hand coded", "owner": "", "siteID": "SECURITYINTELLIGENCE", "type": "Internals", } } } } // Custom Click Tagging // Collect and send clicks not detectable by ida_stats.js function sendClickTag(section, feature, destination) { console.log(section + " " + feature) var config = { type: 'ELEMENT', primaryCategory: section, // e_a1 - Element Category eventName: feature, // e_a2 - Element Name targetURL: destination, // e_a7 - Element Attribute: ibmEvTarget }; ibmStats.event(config); } // Custom Click Tagging // Collect and send clicks not detectable by ida_stats.js // function sendClickConversion(feature, title) { // var config = { // type : 'pageclick', // primaryCategory : 'PAGE CLICK', // eventCategoryGroup : "TIMELINE - SECURITY INTELLIGENCE", // eventName : feature, // targetTitle : title // }; // ibmStats.event(config); // } // Custom Link Event // Add clicktag event on every link inside the element function tagAllLinks(element, section, feature) { var element = document.querySelectorAll(element); if (typeof(element) != 'undefined' && element != null) { for (var i = 0; i < element.length; i++) { var elements = element[i].querySelectorAll("a:not(.btn)"); for (var o = 0; o < elements.length; o++) { if (elements[o].getAttribute('listener') !== 'true') { var destination = elements[o].getAttribute('href'); elements[o].addEventListener('click', function() { if (this.getAttribute('listener') === 'true') { sendClickTag(section, feature, this.getAttribute('href')); this.setAttribute('listener', 'false'); } }, false); elements[o].setAttribute('listener', 'true'); } } } } } window.onload = function() { // Call to action click tag var ctaButton = document.querySelectorAll(".single__content a"); if (typeof(ctaButton) != 'undefined' && ctaButton != null && ctaButton.length !== 0) { for (var i = 0; i < ctaButton.length; i++) { ctaButton[i].addEventListener('click', function() { if (this.getAttribute('listener') === 'true') { sendClickTag("BODY", "CALL TO ACTION"); this.setAttribute('listener', 'false'); } }, false); ctaButton[i].setAttribute('listener', 'true'); } } // Read more click tag var readButton = document.querySelectorAll(".continue-reading button"); if (typeof(readButton) != 'undefined' && readButton != null && readButton.length !== 0) { for (var i = 0; i < readButton.length; i++) { readButton[i].addEventListener('click', function() { if (this.getAttribute('listener') === 'true') { sendClickTag("BODY", "READ-MORE"); this.setAttribute('listener', 'false'); } }, false); readButton[i].setAttribute('listener', 'true'); } } // LISTICLES tag - Arrows //left arrow var leftArrow = document.getElementById("prev"); if (typeof(leftArrow) != 'undefined' && leftArrow != null) { //for (var i = 0; i < leftArrow.length; i++) { leftArrow.addEventListener('click', function() { if (this.getAttribute('listener') === 'true' && leftArrow.id == "prev") { sendClickTag("BODY", "LISTICLE-LEFT-ARROW"); this.setAttribute('listener', 'false'); } }, false); leftArrow.setAttribute('listener', 'true'); //} } //right arrow var rightArrow = document.getElementById("next"); if (typeof(rightArrow) != 'undefined' && rightArrow != null) { //for (var i = 0; i < rightArrow.length; i++) { rightArrow.addEventListener('click', function() { if (this.getAttribute('listener') === 'true' && rightArrow.id == "next") { sendClickTag("BODY", "LISTICLE-RIGHT-ARROW"); this.setAttribute('listener', 'false'); } }, false); rightArrow.setAttribute('listener', 'true'); //} } // LISTICLES tag - numbers var listicleTopButton = document.querySelectorAll(".listicle__pagination__numbers"); if (typeof(listicleTopButton) != 'undefined' && listicleTopButton != null && listicleTopButton.length !== 0) { for (var i = 0; i < listicleTopButton.length; i++) { var currentSlide = 1; listicleTopButton[i].addEventListener('click', function() { if (this.getAttribute('listener') === 'true') { currentSlide++; var total = i; // var clickedSlides=currentSlide/2; // console.log(clickedSlides.toFixed()); //I'm removing 2 because 2 arrows on the listicle are unclickable, but present on the DOM // clickableArrows = i-2; // clickableArrows = i-1; // I'm deviding by 2 because on each slide we have 2 arrows, so we were actually sendind the double of tags // clickableArrows= clickableArrows/2; // console.log(i); // clickableArrows.toFixed(); if (currentSlide <= total) { sendClickTag("PAGE CLICK", "LISTICLE-NAVIGATION-SLIDE" + currentSlide); this.setAttribute('listener', 'false'); } else { sendClickTag("PAGE CLICK", "LISTICLE-NAVIGATION-END"); this.setAttribute('listener', 'false'); } } }, false); listicleTopButton[i].setAttribute('listener', 'true'); } } // // Timeline box click tag // var boxButton = document.querySelectorAll(".timeline__content .box"); // if (typeof(boxButton) != 'undefined' && boxButton != null && boxButton.length !== 0) { // for (var i = 0; i < boxButton.length; i++) { // boxButton[i].addEventListener('click', function(){ // if (this.getAttribute('listener') === 'true') { // sendClickConversion("DETAILED VIEW", this.getAttribute('data-title')); // this.setAttribute('listener', 'false'); // } // }, false); // boxButton[i].setAttribute('listener', 'true'); // } // } }; </script>  <script defer src="https://1.www.s81c.com/common/stats/ida_stats.js" type="text/javascript"></script>  <style amp-boilerplate> body { -webkit-animation: -amp-start 8s steps(1, end) 0s 1 normal both; -moz-animation: -amp-start 8s steps(1, end) 0s 1 normal both; -ms-animation: -amp-start 8s steps(1, end) 0s 1 normal both; animation: -amp-start 8s steps(1, end) 0s 1 normal both } @-webkit-keyframes -amp-start { from { visibility: hidden } to { visibility: visible } } @-moz-keyframes -amp-start { from { visibility: hidden } to { visibility: visible } } @-ms-keyframes -amp-start { from { visibility: hidden } to { visibility: visible } } @-o-keyframes -amp-start { from { visibility: hidden } to { visibility: visible } } @keyframes -amp-start { from { visibility: hidden } to { visibility: visible } } </style><noscript> <style amp-boilerplate> body { -webkit-animation: none; -moz-animation: none; -ms-animation: none; animation: none } </style> </noscript> <link rel="stylesheet" href="https://securityintelligence.com/wp-content/themes/sapphire/minifications/modules.css?v=1715191630">  <meta name='robots' content='max-image-preview:large' /> <script type="text/javascript"> /* <![CDATA[ */ window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/svg\/","svgExt":".svg","source":{"concatemoji":"https:\/\/securityintelligence.com\/wp-includes\/js\/wp-emoji-release.min.js?ver=6.6.2"}}; /*! This file is auto-generated */ !function(i,n){var o,s,e;function c(e){try{var t={supportTests:e,timestamp:(new Date).valueOf()};sessionStorage.setItem(o,JSON.stringify(t))}catch(e){}}function p(e,t,n){e.clearRect(0,0,e.canvas.width,e.canvas.height),e.fillText(t,0,0);var t=new Uint32Array(e.getImageData(0,0,e.canvas.width,e.canvas.height).data),r=(e.clearRect(0,0,e.canvas.width,e.canvas.height),e.fillText(n,0,0),new Uint32Array(e.getImageData(0,0,e.canvas.width,e.canvas.height).data));return t.every(function(e,t){return e===r[t]})}function u(e,t,n){switch(t){case"flag":return n(e,"\ud83c\udff3\ufe0f\u200d\u26a7\ufe0f","\ud83c\udff3\ufe0f\u200b\u26a7\ufe0f")?!1:!n(e,"\ud83c\uddfa\ud83c\uddf3","\ud83c\uddfa\u200b\ud83c\uddf3")&&!n(e,"\ud83c\udff4\udb40\udc67\udb40\udc62\udb40\udc65\udb40\udc6e\udb40\udc67\udb40\udc7f","\ud83c\udff4\u200b\udb40\udc67\u200b\udb40\udc62\u200b\udb40\udc65\u200b\udb40\udc6e\u200b\udb40\udc67\u200b\udb40\udc7f");case"emoji":return!n(e,"\ud83d\udc26\u200d\u2b1b","\ud83d\udc26\u200b\u2b1b")}return!1}function f(e,t,n){var r="undefined"!=typeof WorkerGlobalScope&&self instanceof WorkerGlobalScope?new OffscreenCanvas(300,150):i.createElement("canvas"),a=r.getContext("2d",{willReadFrequently:!0}),o=(a.textBaseline="top",a.font="600 32px Arial",{});return e.forEach(function(e){o[e]=t(a,e,n)}),o}function t(e){var t=i.createElement("script");t.src=e,t.defer=!0,i.head.appendChild(t)}"undefined"!=typeof Promise&&(o="wpEmojiSettingsSupports",s=["flag","emoji"],n.supports={everything:!0,everythingExceptFlag:!0},e=new Promise(function(e){i.addEventListener("DOMContentLoaded",e,{once:!0})}),new Promise(function(t){var n=function(){try{var e=JSON.parse(sessionStorage.getItem(o));if("object"==typeof e&&"number"==typeof e.timestamp&&(new Date).valueOf()<e.timestamp+604800&&"object"==typeof e.supportTests)return e.supportTests}catch(e){}return null}();if(!n){if("undefined"!=typeof Worker&&"undefined"!=typeof OffscreenCanvas&&"undefined"!=typeof URL&&URL.createObjectURL&&"undefined"!=typeof Blob)try{var e="postMessage("+f.toString()+"("+[JSON.stringify(s),u.toString(),p.toString()].join(",")+"));",r=new Blob([e],{type:"text/javascript"}),a=new Worker(URL.createObjectURL(r),{name:"wpTestEmojiSupports"});return void(a.onmessage=function(e){c(n=e.data),a.terminate(),t(n)})}catch(e){}c(n=f(s,u,p))}t(n)}).then(function(e){for(var t in e)n.supports[t]=e[t],n.supports.everything=n.supports.everything&&n.supports[t],"flag"!==t&&(n.supports.everythingExceptFlag=n.supports.everythingExceptFlag&&n.supports[t]);n.supports.everythingExceptFlag=n.supports.everythingExceptFlag&&!n.supports.flag,n.DOMReady=!1,n.readyCallback=function(){n.DOMReady=!0}}).then(function(){return e}).then(function(){var e;n.supports.everything||(n.readyCallback(),(e=n.source||{}).concatemoji?t(e.concatemoji):e.wpemoji&&e.twemoji&&(t(e.twemoji),t(e.wpemoji)))}))}((window,document),window._wpemojiSettings); /* ]]> */ </script> <style id='wp-emoji-styles-inline-css' type='text/css'> img.wp-smiley, img.emoji { display: inline !important; border: none !important; box-shadow: none !important; height: 1em !important; width: 1em !important; margin: 0 0.07em !important; vertical-align: -0.1em !important; background: none !important; padding: 0 !important; } </style> <link rel='stylesheet' id='wp-block-library-css' href='https://securityintelligence.com/wp-includes/css/dist/block-library/style.min.css?ver=6.6.2' type='text/css' media='all' /> <style id='classic-theme-styles-inline-css' type='text/css'> /*! This file is auto-generated */ .wp-block-button__link{color:#fff;background-color:#32373c;border-radius:9999px;box-shadow:none;text-decoration:none;padding:calc(.667em + 2px) calc(1.333em + 2px);font-size:1.125em}.wp-block-file__button{background:#32373c;color:#fff;text-decoration:none} </style> <style id='global-styles-inline-css' type='text/css'> :root{--wp--preset--aspect-ratio--square: 1;--wp--preset--aspect-ratio--4-3: 4/3;--wp--preset--aspect-ratio--3-4: 3/4;--wp--preset--aspect-ratio--3-2: 3/2;--wp--preset--aspect-ratio--2-3: 2/3;--wp--preset--aspect-ratio--16-9: 16/9;--wp--preset--aspect-ratio--9-16: 9/16;--wp--preset--color--black: #000000;--wp--preset--color--cyan-bluish-gray: #abb8c3;--wp--preset--color--white: #ffffff;--wp--preset--color--pale-pink: #f78da7;--wp--preset--color--vivid-red: #cf2e2e;--wp--preset--color--luminous-vivid-orange: #ff6900;--wp--preset--color--luminous-vivid-amber: #fcb900;--wp--preset--color--light-green-cyan: #7bdcb5;--wp--preset--color--vivid-green-cyan: #00d084;--wp--preset--color--pale-cyan-blue: #8ed1fc;--wp--preset--color--vivid-cyan-blue: #0693e3;--wp--preset--color--vivid-purple: #9b51e0;--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple: linear-gradient(135deg,rgba(6,147,227,1) 0%,rgb(155,81,224) 100%);--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan: linear-gradient(135deg,rgb(122,220,180) 0%,rgb(0,208,130) 100%);--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange: linear-gradient(135deg,rgba(252,185,0,1) 0%,rgba(255,105,0,1) 100%);--wp--preset--gradient--luminous-vivid-orange-to-vivid-red: linear-gradient(135deg,rgba(255,105,0,1) 0%,rgb(207,46,46) 100%);--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray: linear-gradient(135deg,rgb(238,238,238) 0%,rgb(169,184,195) 100%);--wp--preset--gradient--cool-to-warm-spectrum: linear-gradient(135deg,rgb(74,234,220) 0%,rgb(151,120,209) 20%,rgb(207,42,186) 40%,rgb(238,44,130) 60%,rgb(251,105,98) 80%,rgb(254,248,76) 100%);--wp--preset--gradient--blush-light-purple: linear-gradient(135deg,rgb(255,206,236) 0%,rgb(152,150,240) 100%);--wp--preset--gradient--blush-bordeaux: linear-gradient(135deg,rgb(254,205,165) 0%,rgb(254,45,45) 50%,rgb(107,0,62) 100%);--wp--preset--gradient--luminous-dusk: linear-gradient(135deg,rgb(255,203,112) 0%,rgb(199,81,192) 50%,rgb(65,88,208) 100%);--wp--preset--gradient--pale-ocean: linear-gradient(135deg,rgb(255,245,203) 0%,rgb(182,227,212) 50%,rgb(51,167,181) 100%);--wp--preset--gradient--electric-grass: linear-gradient(135deg,rgb(202,248,128) 0%,rgb(113,206,126) 100%);--wp--preset--gradient--midnight: linear-gradient(135deg,rgb(2,3,129) 0%,rgb(40,116,252) 100%);--wp--preset--font-size--small: 13px;--wp--preset--font-size--medium: 20px;--wp--preset--font-size--large: 36px;--wp--preset--font-size--x-large: 42px;--wp--preset--spacing--20: 0.44rem;--wp--preset--spacing--30: 0.67rem;--wp--preset--spacing--40: 1rem;--wp--preset--spacing--50: 1.5rem;--wp--preset--spacing--60: 2.25rem;--wp--preset--spacing--70: 3.38rem;--wp--preset--spacing--80: 5.06rem;--wp--preset--shadow--natural: 6px 6px 9px rgba(0, 0, 0, 0.2);--wp--preset--shadow--deep: 12px 12px 50px rgba(0, 0, 0, 0.4);--wp--preset--shadow--sharp: 6px 6px 0px rgba(0, 0, 0, 0.2);--wp--preset--shadow--outlined: 6px 6px 0px -3px rgba(255, 255, 255, 1), 6px 6px rgba(0, 0, 0, 1);--wp--preset--shadow--crisp: 6px 6px 0px rgba(0, 0, 0, 1);}:where(.is-layout-flex){gap: 0.5em;}:where(.is-layout-grid){gap: 0.5em;}body .is-layout-flex{display: flex;}.is-layout-flex{flex-wrap: wrap;align-items: center;}.is-layout-flex > :is(*, div){margin: 0;}body .is-layout-grid{display: grid;}.is-layout-grid > :is(*, div){margin: 0;}:where(.wp-block-columns.is-layout-flex){gap: 2em;}:where(.wp-block-columns.is-layout-grid){gap: 2em;}:where(.wp-block-post-template.is-layout-flex){gap: 1.25em;}:where(.wp-block-post-template.is-layout-grid){gap: 1.25em;}.has-black-color{color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-color{color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-color{color: var(--wp--preset--color--white) !important;}.has-pale-pink-color{color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-color{color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-color{color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-color{color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-color{color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-color{color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-color{color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-color{color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-color{color: var(--wp--preset--color--vivid-purple) !important;}.has-black-background-color{background-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-background-color{background-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-background-color{background-color: var(--wp--preset--color--white) !important;}.has-pale-pink-background-color{background-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-background-color{background-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-background-color{background-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-background-color{background-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-background-color{background-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-background-color{background-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-background-color{background-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-background-color{background-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-background-color{background-color: var(--wp--preset--color--vivid-purple) !important;}.has-black-border-color{border-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-border-color{border-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-border-color{border-color: var(--wp--preset--color--white) !important;}.has-pale-pink-border-color{border-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-border-color{border-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-border-color{border-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-border-color{border-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-border-color{border-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-border-color{border-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-border-color{border-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-border-color{border-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-border-color{border-color: var(--wp--preset--color--vivid-purple) !important;}.has-vivid-cyan-blue-to-vivid-purple-gradient-background{background: var(--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple) !important;}.has-light-green-cyan-to-vivid-green-cyan-gradient-background{background: var(--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan) !important;}.has-luminous-vivid-amber-to-luminous-vivid-orange-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange) !important;}.has-luminous-vivid-orange-to-vivid-red-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-orange-to-vivid-red) !important;}.has-very-light-gray-to-cyan-bluish-gray-gradient-background{background: var(--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray) !important;}.has-cool-to-warm-spectrum-gradient-background{background: var(--wp--preset--gradient--cool-to-warm-spectrum) !important;}.has-blush-light-purple-gradient-background{background: var(--wp--preset--gradient--blush-light-purple) !important;}.has-blush-bordeaux-gradient-background{background: var(--wp--preset--gradient--blush-bordeaux) !important;}.has-luminous-dusk-gradient-background{background: var(--wp--preset--gradient--luminous-dusk) !important;}.has-pale-ocean-gradient-background{background: var(--wp--preset--gradient--pale-ocean) !important;}.has-electric-grass-gradient-background{background: var(--wp--preset--gradient--electric-grass) !important;}.has-midnight-gradient-background{background: var(--wp--preset--gradient--midnight) !important;}.has-small-font-size{font-size: var(--wp--preset--font-size--small) !important;}.has-medium-font-size{font-size: var(--wp--preset--font-size--medium) !important;}.has-large-font-size{font-size: var(--wp--preset--font-size--large) !important;}.has-x-large-font-size{font-size: var(--wp--preset--font-size--x-large) !important;} :where(.wp-block-post-template.is-layout-flex){gap: 1.25em;}:where(.wp-block-post-template.is-layout-grid){gap: 1.25em;} :where(.wp-block-columns.is-layout-flex){gap: 2em;}:where(.wp-block-columns.is-layout-grid){gap: 2em;} :root :where(.wp-block-pullquote){font-size: 1.5em;line-height: 1.6;} </style> <link rel='stylesheet' id='taxonomy-image-plugin-public-css' href='https://securityintelligence.com/wp-content/plugins/taxonomy-images/css/style.css?ver=0.9.6' type='text/css' media='screen' /> <script type="text/javascript" src="https://securityintelligence.com/wp-includes/js/jquery/jquery.min.js?ver=3.7.1" id="jquery-core-js"></script> <script type="text/javascript" src="https://securityintelligence.com/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.4.1" id="jquery-migrate-js"></script> <script type="text/javascript" src="https://securityintelligence.com/wp-content/themes/sapphire/app/javascript/si-theme-cookie.js?ver=6.6.2" id="si-cookie-consent-js"></script> <link rel="https://api.w.org/" href="https://securityintelligence.com/wp-json/" /><link rel="alternate" title="JSON" type="application/json" href="https://securityintelligence.com/wp-json/wp/v2/ibm_internals/448442" /><link rel="EditURI" type="application/rsd+xml" title="RSD" href="https://securityintelligence.com/xmlrpc.php?rsd" /> <meta name="generator" content="WordPress 6.6.2" /> <link rel='shortlink' href='https://securityintelligence.com/?p=448442' /> <link rel="alternate" title="oEmbed (JSON)" type="application/json+oembed" href="https://securityintelligence.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fsecurityintelligence.com%2Fposts%2Fpixpirate-back-spreading-via-whatsapp%2F" /> <link rel="alternate" title="oEmbed (XML)" type="text/xml+oembed" href="https://securityintelligence.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fsecurityintelligence.com%2Fposts%2Fpixpirate-back-spreading-via-whatsapp%2F&format=xml" /> <link rel="icon" href="https://securityintelligence.com/wp-content/uploads/2016/04/SI_primary_rgb-80x80.png" sizes="32x32" /> <link rel="icon" href="https://securityintelligence.com/wp-content/uploads/2016/04/SI_primary_rgb.png" sizes="192x192" /> <link rel="apple-touch-icon" href="https://securityintelligence.com/wp-content/uploads/2016/04/SI_primary_rgb.png" /> <meta name="msapplication-TileImage" content="https://securityintelligence.com/wp-content/uploads/2016/04/SI_primary_rgb.png" /> <style amp-custom>@import url('https://fonts.googleapis.com/css?family=IBM+Plex+Sans:200,300,400,500,600');@import url('https://fonts.googleapis.com/css?family=IBM+Plex+Sans+Condensed:300,400,500,600,700');@import url('https://fonts.googleapis.com/css2?family=IBM+Plex+Serif&display=swap')</style><link rel="stylesheet" href="https://unpkg.com/swiper/swiper-bundle.min.css"><link rel="stylesheet" href="https://securityintelligence.com/wp-content/themes/sapphire/minifications/single.css?v=1722279696">   <meta name="description" content="The PixPirate malware is back, and it is spreading via WhatsApp. Here's what you need to know."/> <meta name="robots" content="max-snippet:-1, max-image-preview:large, max-video-preview:-1"/> <link rel="canonical" href="https://securityintelligence.com/posts/pixpirate-back-spreading-via-whatsapp/" /> <meta property="og:locale" content="en_US" /> <meta property="og:type" content="article" /> <meta property="og:title" content="What’s up India? PixPirate is back and spreading via WhatsApp" /> <meta property="og:description" content="The PixPirate malware is back, and it is spreading via WhatsApp. Here's what you need to know." /> <meta property="og:url" content="https://securityintelligence.com/posts/pixpirate-back-spreading-via-whatsapp/" /> <meta property="og:site_name" content="Security Intelligence" /> <meta property="article:tag" content="Banking" /> <meta property="article:tag" content="Banking Malware" /> <meta property="article:tag" content="Financial Malware" /> <meta property="article:tag" content="Malware" /> <meta property="article:tag" content="Phishing" /> <meta property="article:tag" content="SMiShing" /> <meta property="article:tag" content="WhatsApp" /> <meta property="article:section" content="Fraud Protection" /> <meta property="fb:app_id" content="3703311399714818" /> <meta property="og:image" content="https://securityintelligence.com/wp-content/uploads/2024/11/Close-up-of-a-smartphone-in-a-male-hands.-The-concept-of-online-messaging-social-media-communication-browsing-the-internet-websites-reading-news.-Wireless-technologies-gadgets.jpeg" /> <meta property="og:image:secure_url" content="https://securityintelligence.com/wp-content/uploads/2024/11/Close-up-of-a-smartphone-in-a-male-hands.-The-concept-of-online-messaging-social-media-communication-browsing-the-internet-websites-reading-news.-Wireless-technologies-gadgets.jpeg" /> <meta property="og:image:width" content="1200" /> <meta property="og:image:height" content="630" /> <meta name="twitter:card" content="summary" /> <meta name="twitter:description" content="The PixPirate malware is back, and it is spreading via WhatsApp. Here's what you need to know." /> <meta name="twitter:title" content="What’s up India? PixPirate is back and spreading via WhatsApp" /> <meta name="twitter:image" content="https://securityintelligence.com/wp-content/uploads/2024/11/Close-up-of-a-smartphone-in-a-male-hands.-The-concept-of-online-messaging-social-media-communication-browsing-the-internet-websites-reading-news.-Wireless-technologies-gadgets.jpeg" /> <meta name="twitter:creator" content="@03" /> <script type='application/ld+json' class='yoast-schema-graph yoast-schema-graph--main'>{"@context":"https://schema.org","@graph":[{"@type":"WebSite","@id":"https://securityintelligence.com/#website","url":"https://securityintelligence.com/","name":"Security Intelligence","inLanguage":"en-US","description":"Analysis and Insight for Information Security Professionals","potentialAction":{"@type":"SearchAction","target":"https://securityintelligence.com/?s={search_term_string}","query-input":"required name=search_term_string"}},{"@type":"ImageObject","@id":"https://securityintelligence.com/posts/pixpirate-back-spreading-via-whatsapp/#primaryimage","inLanguage":"en-US","url":"https://securityintelligence.com/wp-content/uploads/2024/11/Close-up-of-a-smartphone-in-a-male-hands.-The-concept-of-online-messaging-social-media-communication-browsing-the-internet-websites-reading-news.-Wireless-technologies-gadgets.jpeg","width":1200,"height":630,"caption":"Closeup on a smartphone in man's hands being held in front of his chest and close to his face"},{"@type":"WebPage","@id":"https://securityintelligence.com/posts/pixpirate-back-spreading-via-whatsapp/#webpage","url":"https://securityintelligence.com/posts/pixpirate-back-spreading-via-whatsapp/","name":"What\u2019s up India? PixPirate is back and spreading via WhatsApp","isPartOf":{"@id":"https://securityintelligence.com/#website"},"inLanguage":"en-US","primaryImageOfPage":{"@id":"https://securityintelligence.com/posts/pixpirate-back-spreading-via-whatsapp/#primaryimage"},"datePublished":"2024-11-26T17:00:00+00:00","dateModified":"2024-11-26T17:21:30+00:00","description":"The PixPirate malware is back, and it is spreading via WhatsApp. Here's what you need to know."}]}</script>  </head> <body class="si_body" > <nav id="navigation" class="navigation navigation--homepage " aria-label="Security Intelligence"> <div class="container"> <div class="row">  <div class="navigation__brand"> <a href="https://securityintelligence.com" title="Security Intelligence" tabindex="1"> <amp-img width="280" height="31" layout="responsive" src="https://securityintelligence.com/wp-content/themes/sapphire/images/logo-white.svg" alt="Security Intelligence Logo"> <div fallback> <h6>Security Intelligence</h6> </div> </amp-img> </a> </div>  <div class="navigation__menu" onmouseleave="delete localStorage['megamenu-status']"> <a tabindex="2" id="nav-news" href="/news/" class="navigation__button " data-menu="megamenu__news" onclick="localStorage['megamenu-status'] = 'first-interaction';">News</a> <a tabindex="4" id="nav-topics" href="/category/topics/" class="navigation__button " data-menu="megamenu__topics" onclick="localStorage['megamenu-status'] = 'first-interaction';">Topics</a> <a tabindex="5" id="nav-x-force" href="/x-force/" class="navigation__button " data-menu="megamenu__threat" onclick="localStorage['megamenu-status'] = 'first-interaction';">X-Force</a> <a tabindex="6" id="nav-media" href="/media/" class="navigation__button " data-menu="megamenu__podcast" onclick="localStorage['megamenu-status'] = 'first-interaction';">Podcast</a> <button aria-label="search Button" class="navigation__search" onclick="document.getElementById('search__input').focus()" on="tap:search.toggleClass(class='megamenu__open')" role="link" tabindex="-1" type="button"> <amp-img tabindex="7" width="24" height="24" layout="responsive" src="https://securityintelligence.com/wp-content/themes/sapphire/images/search.svg" alt="Click to open the search bar"></amp-img> </button> </div>  <div id="search-tablet" class="navigation__menu navigation__menu--tablet" tabindex="-1"> <button type="button" class="navigation__button " data-menu="megamenu__news">News</button> <button type="button" class="navigation__button " data-menu="megamenu__topics" on="tap:megamenu__news.hide, megamenu__series.hide, megamenu__topics.show, megamenu__industries.hide, megamenu__threat.hide, megamenu__podcast.hide, megamenu__events.hide, megamenu__mask.show" role="link" tabindex="0">Topics</button> <button type="button" class="navigation__button " data-menu="megamenu__threat" on="tap:megamenu__news.hide, megamenu__series.hide, megamenu__topics.hide, megamenu__industries.hide, megamenu__threat.show, megamenu__podcast.hide, megamenu__events.hide, megamenu__mask.show" role="link" tabindex="0">Threat Research</button> <button type="button" class="navigation__button " data-menu="megamenu__podcast" on="tap:megamenu__news.hide, megamenu__series.hide, megamenu__topics.hide, megamenu__industries.hide, megamenu__threat.hide, megamenu__podcast.show, megamenu__events.hide, megamenu__mask.show" role="link" tabindex="0">Podcast</button> <button type="button" aria-labelledby="search-tablet" class="navigation__search" onclick="document.getElementById('search__input').focus()" on="tap:search.toggleClass(class='megamenu__open')" role="link" tabindex="0"> <amp-img width="24" height="24" layout="responsive" src="https://securityintelligence.com/wp-content/themes/sapphire/images/search.svg" alt="Search"></amp-img> </button> </div>  <form id="search" class="search " method="GET" action="/" target="_top" tabindex="-1"> <amp-autocomplete filter="prefix" src="https://securityintelligence.com/wp-content/themes/sapphire/app/jsons/suggestions.json" suggest-first submit-on-enter on="select:search.submit" tabindex="-1"> <input id="search__input" tabindex="-1" type="text" name="s" autocomplete="on" placeholder="What would you like to search for?" aria-label="Search" oninput="validateInput(this)" required> </amp-autocomplete> <button tabindex="-1" value="submit" type="submit" class="search__submit" aria-label="Click to search"> <amp-img width="20" height="20" layout="responsive" src="https://securityintelligence.com/wp-content/themes/sapphire/images/search.svg" alt="Search"></amp-img> <span>Search</span> </button> <button tabindex="-1" value="reset" class="search__close" type="reset" aria-labelledby="search" on="tap:search.toggleClass(class='megamenu__open')" role="link"> <amp-img width="14" height="14" layout="responsive" src="https://securityintelligence.com/wp-content/themes/sapphire/images/close.svg" alt="Close"></amp-img> </button> </form>  <div id="navigation__mega">  <section id="megamenu__news" class="megamenu" data-menu="nav-news" on="tap:megamenu__news.show, megamenu__mask.show" role="link" tabindex="0"> <amp-list layout="responsive" width="1440" height="248" credentials="include" src="https://securityintelligence.com/wp-content/themes/sapphire/app/jsons/posts.php?quantity=4&type=ibm_news" binding="no"> <template type="amp-mustache"> <div class="row">  {{#articles}} <article class="megamenu__article"> <a href="{{permalink}}" class="megamenu__link"> <div class="megamenu__image"> <amp-img width="630" height="330" layout="responsive" src="{{image}}" alt="{{image_alt}}"></amp-img> </div> <h3 class="megamenu__title">{{title}}</h3> </a> </article> {{/articles}}  <a href="/news/" class="megamenu__more"> <amp-img width="24" height="24" layout="responsive" src="https://securityintelligence.com/wp-content/themes/sapphire/images/post-type-icons/news.svg" alt="News"></amp-img> <span>View All News</span> </a> </div> </template> </amp-list> </section>   <section id="megamenu__topics" class="megamenu" data-menu="nav-topics" on="tap: megamenu__topics.show, megamenu__mask.show" role="link" tabindex="0"> <div class="row">  <div class="megamenu__list"> <a href="/category/app-security/">Application Security</a> <a href="/category/artificial-intelligence/">Artificial Intelligence</a> <a href="/category/ciso-corner/">CISO</a> <a href="/category/cloud-protection/">Cloud Security</a> <a href="/category/data-protection/">Data Protection</a> <a href="/category/endpoint/">Endpoint</a> </div> <div class="megamenu__list"> <a href="/category/fraud-protection/">Fraud Protection</a> <a href="/category/identity-access/">Identity & Access</a> <a href="/category/incident-response/">Incident Response</a> <a href="/category/mainframe/">Mainframe</a> <a href="/category/network/">Network</a> <a href="/category/risk-management/">Risk Management</a> </div> <div class="megamenu__list"> <a href="/category/security-intelligence-analytics/">Intelligence & Analytics</a> <a href="/category/security-services/">Security Services</a> <a href="/category/threat-hunting/">Threat Hunting</a> <a href="/category/topics/zero-trust/">Zero Trust</a> <a href="/infographic-zero-trust-policy/">Infographic: Zero trust policy</a> <a href="/timeline/state-local-government-cyberattacks/">Timeline: Local Government Cyberattacks</a> </div> <div class="megamenu__list"> <span>Industries</span> <a href="/category/banking-financial-services-industry/">Banking & Finance</a> <a href="/category/energy-utility-industry/">Energy & Utility</a> <a href="/category/government/">Government</a> <a href="/category/health-care-industry/">Healthcare</a> </div>  <a href="/category/topics/" class="megamenu__more"> <amp-img width="24" height="24" layout="responsive" src="https://securityintelligence.com/wp-content/themes/sapphire/images/post-type-icons/topics.svg" alt="Topics"></amp-img> <span>View All Topics</span> </a> </div> </section>  <section id="megamenu__threat" class="megamenu" data-menu="nav-x-force" on="tap:megamenu__threat.show, megamenu__mask.show" role="link" tabindex="0"> <amp-list layout="responsive" width="1440" height="248" credentials="include" src="https://securityintelligence.com/wp-content/themes/sapphire/app/jsons/posts.php?quantity=4&category=x-force" binding="no"> <template type="amp-mustache"> <div class="row">  {{#articles}} <article class="megamenu__article"> <a href="{{permalink}}" class="megamenu__link"> <div class="megamenu__image"> <amp-img width="630" height="330" layout="responsive" src="{{image}}" alt="{{image_alt}}"></amp-img> </div> <h3 class="megamenu__title">{{title}}</h3> </a> </article> {{/articles}}  <a href="/x-force/" class="megamenu__more"> <amp-img width="24" height="24" layout="responsive" src="https://securityintelligence.com/wp-content/themes/sapphire/images/post-type-icons/threat-research.svg" alt="Threat Research"></amp-img> <span>View More From X-Force</span> </a> </div> </template> </amp-list> </section>  <section id="megamenu__podcast" class="megamenu" data-menu="nav-media" on="tap:megamenu__podcast.show, megamenu__mask.show" role="link" tabindex="0"> <amp-list layout="responsive" width="1440" height="248" credentials="include" src="https://securityintelligence.com/wp-content/themes/sapphire/app/jsons/posts.php?quantity=4&type=ibm_media" binding="no"> <template type="amp-mustache"> <div class="row">  {{#articles}} <article class="megamenu__article"> <a href="{{permalink}}" class="megamenu__link"> <div class="megamenu__image"> <amp-img width="630" height="330" layout="responsive" src="{{image}}" alt="{{image_alt}}"></amp-img> </div> <h3 class="megamenu__title">{{title}}</h3> </a> </article> {{/articles}}  <a href="/media/" class="megamenu__more"> <amp-img width="24" height="24" layout="responsive" src="https://securityintelligence.com/wp-content/themes/sapphire/images/post-type-icons/podcast.svg" alt="Podcast"></amp-img> <span>View All Episodes</span> </a> </div> </template> </amp-list> </section> </div>  <div id="megamenu__mask" class="navigation__mask " hidden></div>  <script type="text/javascript"> function validateInput(inputElement) { // Regular expression to allow only letters (both uppercase and lowercase) and numbers var regex = /^[A-Za-z0-9 ]*$/; // Get the current value of the input field var inputValue = inputElement.value; // Check if the input value matches the allowed pattern if (!regex.test(inputValue)) { // If the input contains special characters, remove them inputElement.value = inputValue.replace(/[^A-Za-z0-9 ]/g, ''); } } // DESKTOP MENU LINKS - HOVER ACTION var elementList = document.querySelectorAll('.navigation__menu .navigation__button'); for (i = 0; i < elementList.length; i++) { elementList[i].addEventListener('mouseenter', function() { if (localStorage['megamenu-status'] !== 'first-interaction') { var mega = document.getElementById("navigation__mega"); var menu_elements = document.getElementById(this.dataset.menu); var mask = document.getElementById("megamenu__mask"); menu_elements.click(); mega.classList.add('amp-open'); menu_elements.classList.add('amp-open'); mask.classList.add('amp-open'); } }); elementList[i].addEventListener('mouseleave', function() { if (localStorage['megamenu-status'] !== 'first-interaction') { var mega = document.getElementById("navigation__mega"); var menu_elements = document.getElementById(this.dataset.menu); var mask = document.getElementById("megamenu__mask"); mega.classList.remove('amp-open'); menu_elements.classList.remove('amp-open'); mask.classList.remove('amp-open'); } }); } // TABLET MENU LINKS - CLICK ACTION var elementList = document.querySelectorAll('.navigation__menu--tablet .navigation__button'); for (i = 0; i < elementList.length; i++) { elementList[i].addEventListener('click', function() { var mega = document.getElementById("navigation__mega"); var menu_elements = document.getElementById(this.dataset.menu); var mask = document.getElementById("megamenu__mask"); menu_elements.click(); mega.classList.add('amp-open'); menu_elements.classList.add('amp-open'); mask.classList.add('amp-open'); }); } // OPPENED MEGAMENU - HOVER ACTION var elementList = document.querySelectorAll('.megamenu'); for (i = 0; i < elementList.length; i++) { elementList[i].addEventListener('mouseenter', function() { var mega = document.getElementById("navigation__mega"); var nav_elements = document.getElementById(this.dataset.menu); var mask = document.getElementById("megamenu__mask"); this.classList.add('amp-open'); mega.classList.add('amp-open'); mask.classList.add('amp-open'); nav_elements.classList.add('amp-open'); }); elementList[i].addEventListener('mouseleave', function() { var mega = document.getElementById("navigation__mega"); var nav_elements = document.getElementById(this.dataset.menu); var mask = document.getElementById("megamenu__mask"); this.classList.remove('amp-open'); mega.classList.remove('amp-open'); mask.classList.remove('amp-open'); nav_elements.classList.remove('amp-open'); }); } </script>  <button type="button" aria-labelledby="search-tablet" class="search__mobile__icon" onclick="document.getElementById('search__input').focus()" on="tap:search.toggleClass(class='megamenu__open')" role="link" tabindex="0"> <amp-img width="18" height="18" layout="fixed" src="https://securityintelligence.com/wp-content/themes/sapphire/images/search.svg" alt="Search"></amp-img> </button> <div class="navigation__mobile-icon" on="tap:navigation__mobile.toggleVisibility, navigation__hamburguer.toggleVisibility, navigation__close.toggleVisibility " role="link" tabindex="0"> <amp-img id="navigation__hamburguer" width="24" height="24" layout="responsive" src="https://securityintelligence.com/wp-content/themes/sapphire/images/hamburguer.svg" alt="Menu"></amp-img> <amp-img id="navigation__close" width="24" height="24" layout="responsive" src="https://securityintelligence.com/wp-content/themes/sapphire/images/close.svg" alt="Close" hidden></amp-img> </div>  <section id="navigation__mobile" class="navigation__mobile-list" hidden> <div class="container"> <a href="/news/">News</a>  <amp-accordion disable-session-states>  <section class="navigation__accordion"> <h2>Topics</h2> <div class="navigation__accordion-content"> <div class="row"> <a href="/category/topics/">All Categories</a> <a href="/category/app-security/">Application Security</a> <a href="/category/identity-access/">Identity & Access</a> <a href="/category/artificial-intelligence/">Artificial Intelligence</a> <a href="/category/incident-response/">Incident Response</a> <a href="/category/ciso-corner/">CISO</a> <a href="/category/mainframe/">Mainframe</a> <a href="/category/cloud-protection/">Cloud Security</a> <a href="/category/mobile-security-podcasts/">Mobile Security</a> <a href="/category/data-protection/">Data Protection</a> <a href="/category/network/">Network</a> <a href="/category/endpoint/">Endpoint</a> <a href="/category/risk-management/">Risk Management</a> <a href="/category/fraud-protection/">Fraud Protection</a> <a href="/category/threat-hunting/">Threat Hunting</a> <a href="/category/security-services/">Security Services</a> <a href="/category/security-intelligence-analytics/">Security Intelligence & Analytics</a> </div> <div class="row"> <span>Industries</span> <a href="/category/industries/banking-financial-services-industry/">Banking & Finance</a> <a href="/category/energy-utility-industry/">Energy & Utility</a> <a href="/category/government/">Government</a> <a href="/category/health-care-industry/">Healthcare</a> </div> </div> </section> </amp-accordion> <a href="/x-force/">X-Force</a> <a href="/media/">Podcast</a> </section> </div> </div> </nav>  <div class="scroll-to-top ">  <div id="top-viewer" class="scroll-to-top__viewer"></div>  <div class="sticky" style="height: 100%;"> <button id="scrollToTopButton" on="tap:top-viewer.scrollTo(duration=200, position=bottom)" class="tap_target "> <div class="scroll-to-top__button"> <amp-img width="12" height="16" layout="fixed" alt="Back-to-top" src="https://securityintelligence.com/wp-content/themes/sapphire/images/scroll-to-top.svg"></amp-img> </div> </button> </div>  <amp-animation id="showAnim" layout="nodisplay"> <script type="application/json"> { "duration": "200ms", "fill": "both", "iterations": "1", "direction": "alternate", "animations": [{ "selector": "#scrollToTopButton", "keyframes": [{ "opacity": "1", "visibility": "visible" }] }] } </script> </amp-animation> <amp-animation id="hideAnim" layout="nodisplay"> <script type="application/json"> { "duration": "200ms", "fill": "both", "iterations": "1", "direction": "alternate", "animations": [{ "selector": "#scrollToTopButton", "keyframes": [{ "opacity": "0", "visibility": "hidden" }] }] } </script> </amp-animation> </div>  <amp-position-observer target="top-viewer" intersection-ratios="0" on="enter:hideAnim.start; exit:showAnim.start" layout="nodisplay"></amp-position-observer>  <script id="post-schema" type="application/ld+json"> { "@context": "http://schema.org", "@type": "Article", "headline": "What’s up India? PixPirate is back and spreading via WhatsApp", "mainEntityOfPage": "https://securityintelligence.com/posts/pixpirate-back-spreading-via-whatsapp/", "author": { "@type": "Person", "name": "Nir Somech" }, "datePublished": "2024-11-26T12:00:00-05:00", "dateModified": "2024-11-26T12:21:30-05:00", "publisher": { "@type": "Organization", "name": "Security Intelligence", "logo":{ "@type": "ImageObject", "url": "https://securityintelligence.com/wp-content/themes/security-intelligence/assets/img/logo.png" } }, "image": [ "https://securityintelligence.com/wp-content/uploads/2024/11/Close-up-of-a-smartphone-in-a-male-hands.-The-concept-of-online-messaging-social-media-communication-browsing-the-internet-websites-reading-news.-Wireless-technologies-gadgets-630x330.jpeg" ], "articleBody": "<h2>Quick recap</h2><p>This blog post is the continuation of a <a href="https://securityintelligence.com/posts/pixpirate-brazilian-financial-malware/">previous blog</a> regarding PixPirate malware. If you haven’t read the initial post, please take a couple of minutes to get caught up before diving into this additional content. As a reminder, PixPirate malware consists of two components: a downloader application and a <span class="resolved" >droppee</span> application, and both are custom-made and operated by the same fraudster group. Although the traditional role of a downloader is to install the droppee on the victim device, with PixPirate, the downloader also <i>runs</i> the droppee. Without this operation by the PixPirate downloader, the droppee, i.e. the malware itself, would never run. In addition, the PixPirate downloader can send commands to the droppee for execution and has an active role in the droppee activities and operations.</p><p>In the most basic terms, the PixPirate downloader pretends to be a legitimate authentication application that helps users secure their bank accounts.</p><p><strong><img alt="PixPirate 2 - fig 1.png" height="334" src="https://images1.cmp.optimizely.com/Zz0yZDA4MmZlOGFiNzUxMWVmOTA2OGVhZDM2ZjJhYjBlYw==" width="678"/></strong></p><p><em>Figure 1: PixPirate downloader icons.</em></p><p>The PixPirate downloader doesn’t exist in the Google Play Store, but it spreads through <a href="https://www.ibm.com/topics/smishing" rel="noopener" target="_blank">Smishing</a> campaigns or a WhatsApp spam message from an infected user. In these cases, the victim is tricked into downloading and installing the downloader application. As it runs, the downloader prompts the target victim that there is an updated version of the application and asks for permission to install other untrusted apps, as a way to install the related PixPirate droppee.</p><h2>The new PixPirate campaign</h2><p>In recent months, the Trusteer research lab monitored and detected a new campaign of PixPirate running in Brazil, and directly attacking Brazilian banks. At the time of this blog, PixPirate still primarily targets the Pix payment services that are integrated with most Brazilian banking apps.</p><p>In the current PixPirate campaign, Trusteer noticed the largest number of infections in Brazil (almost 70% of all infections), but with an additional reach that expanded to other markets in the world, including India and most recently Italy and Mexico. Outside of Brazil, India is the next-most infected country by PixPirate, with nearly 20% of the total infections in the world. Although no Indian banks appear in the PixPirate target list, the Trusteer research lab assumes the <a href="https://www.ibm.com/topics/malware" rel="noopener" target="_blank">malware</a> developers are laying the foundation for future campaigns in India. One assumption for the infection spread in India is the widespread use of India’s United Payments Interface (UPI) instant payment service. The UPI is utilized by hundreds of millions of consumers in India, where it has become the country’s standard payment platform, and is regulated by <a href="https://www.rbi.org.in/">the Reserve Bank of India</a> (RBI).</p><p><strong><img alt="PixPirate 2 - fig 2.png" height="424" src="https://images2.cmp.optimizely.com/Zz1hNTU3ZWUxMGFiNzYxMWVmYjZhMDIyOTFkNGY3NDU4OQ==" width="677"/></strong><em>Figure 2: A pie graph showing PixPirate distribution across several countries.</em></p><h2>PixPirate <span class="resolved" >droppee</span> installation made easy</h2><p>The newly identified PixPirate campaign also includes a new version of the downloader, which includes a link to a <a href="https://www.youtube.com/watch?app=desktop&v=TqjE5Y5CYfI">YouTube</a> video that explains and demonstrates to the target victim how to unknowingly install the droppee Android package kit (<a>APK) </a>and grant all the necessary permissions and capabilities in order to fully execute on the victim’s device. The YouTube video simulates a legit tutorial video explaining to the user how to install a legitimate financial service app, and to date has more than 78,000 views providing some scope of the infection’s reach, assuming every YouTube viewer has followed through and unknowingly installed the PixPirate malware.</p><p>In the video, a user launches the downloader app for the first time, which simulates being a legitimate financial services application. The PixPirate downloader then asks the user to install an updated version of itself. Once the installation is complete, the victim has actually installed a new malicious application, rather than simply upgrading the downloader. This new app - the droppee app - is in fact the PixPirate malware. The PixPirate malware then remains incognito to the user by having no icon on the home screen of the infected device.</p><p>As discussed in the <a href="https://securityintelligence.com/posts/pixpirate-brazilian-financial-malware/">previous PixPirate blog, </a>remaining incognito to the user has many advantages, including giving the PixPirate malware a better chance to sustain a long infection period with the ability to conduct financial fraud. However, this also introduces a problem – without an icon, the victim cannot “start” or activate the malware manually, so who will do it? That’s where the PixPirate downloader comes back into play, as the resource that is responsible for running the malware. The previous Trusteer blog post described the innovative way the PixPirate downloader ran the droppee, but in this current campaign, Trusteer has detected a new way the downloader executes the malware, as described in the next section.</p><h2>New PixPirate droppee new execution method</h2><p>The previous Trusteer blog post assessed the method used by the PixPirate droppee to hide its icon and, as a result, the special technique used by the downloader in order to run the droppee. In the new PixPirate campaign, the downloader uses a new method for launching the droppee.</p><p>In the new method, the downloader maintains the execution role of the invisible droppee. The droppee holds in the manifest activity with an intent filter with one of the following unique action names:</p><ul><li>“com.ticket.stage.Service”</li><li>“com.ticket.action.Service”</li><li>“com.sell.allday.Service”</li></ul><p>When the PixPirate downloader wants to run the correlated droppee, the first thing it needs to do is to get the droppee activity holding this specific unique action and the droppee’s package name. To do that, the downloader uses the API “<i>queryIntentActivities(android.content.Intent, int)”</i> with an argument of the intent with the desired action name. This function retrieves a list of all activities that hold an intent filter for the given intent. It returns a list of “ResolveInfo” objects containing one entry for each matching activity.</p><p>We can see in the image below the function that is responsible for returning a list of all intents for all the activities of packages that contain one of the action names mentioned above. The PixPirate downloader starts with a for loop over a list of activity action names belonging to the PixPirate droppee using a call to the “<i>queryIntentActivities”</i> API. This API returns a list of “ResolveInfo” objects containing all activities with one of the droppee action names. For each “ResolveInfo” object returned it creates an intent with the corresponding activity name and package name and stores it in an array. This array is returned by the function.</p><p><strong><img alt="fig 3 - get_droppee_packagenames.png" height="308" src="https://images2.cmp.optimizely.com/Zz1jNTMxMDE2NGFiN2ExMWVmYTFmZTVlY2YxNTcyYjBlNQ==" width="652"/></strong></p><p><em><span style="color: #000000;">Figure 3: </span>PixPirate downloader function responsible for getting droppee launching activity.</em></p><p>In the following function, we can see in the for loop a call to the function “get_potential_droppee_packagenames” that is responsible for returning a list of all intents for all activities of packages that contain one of the droppee action names. Then, it validates that the package name related to the returned intent is really the droppee package. If so, it adds other relevant and necessary data to the intent and uses the <i>“startActivity(android.content.Intent)”</i> API to start the relevant droppee activity and perform the action of running the droppee.</p><p><strong><img alt="fig 4 - run_droppee_function.png" height="270" src="https://images3.cmp.optimizely.com/Zz04YjljNzFlNGFiN2IxMWVmODcyMTYyN2FiYzZlMzM5ZQ==" width="677"/></strong></p><p><em>Figure 4: PixPirate downloader function that runs and executes PixPirate droppee.</em></p><h2>WhatsApp: Key player in PixPirate malware spreading technique</h2><p>As part of the installation flow of PixPirate downloader on a device, the downloader checks to see if the WhatsApp instant messaging app is installed. The downloader contains in its “assets” folder the “WhatsApp” APK, so if the WhatsApp application is not installed on the victim's device, the malware pushes the victim to install it.</p><p><strong><img alt="fig 5 - downloader_assets_folder.png" height="122" src="https://images3.cmp.optimizely.com/Zz0wMGQyMDhiNmFiN2MxMWVmYTE4NGFhZTZmZWY5ZWVkYQ==" width="317"/></strong></p><p><em>Figure 5: Downloader assets.</em></p><p>We can see in the image above the “assets” folder of the downloader APK, where “wsv2.jpeg” stands for WhatsApp APK. The other files are different versions of the droppee APKs.</p><p>Due to the size of the WhatsApp APK, we see the downloader is almost 100MB. Comparatively, the WhatsApp APK is abnormally large compared to other common finance malware downloaders that have relatively small code sections and little functionality, as they generally aim to only download and install the droppee (and not run them).</p><p>The PixPirate Droppee uses the WhatsApp app to send malicious <a href="https://www.ibm.com/topics/phishing" rel="noopener" target="_blank">phishing</a> messages through a victim’s WhatsApp account with the intent to spread itself and infect other devices. The malware has the ability to read the contact list of the victim, in addition to being able to add contacts, and then can send WhatsApp messages to a victim’s contacts or even WhatsApp groups to further the spread and infect more users.</p><p>The new capabilities and functionality related to the WhatsApp app can include:</p><ul><li>Sending messages</li><li>Deleting messages</li><li>Creating groups and sending messages</li><li>Reading and deleting the user contact list</li><li>Adding and changing the user contact list</li><li>Blocking and unblocking other WhatsApp user accounts</li></ul><p>While the WhatsApp messages are sending, the PixPirate malware uses an overlay technique to hide the device screen, so the victim won’t notice the malware is using the WhatsApp app.</p><p><strong><img alt="fig 6 - PixPirate infection methodology.jpg" height="231" src="https://images2.cmp.optimizely.com/Zz1lMjRiNGNjNmFiN2MxMWVmYTMxZmZhZDUxNDNkY2VkNQ==" width="665"/></strong></p><p><em>Figure 6:<strong> </strong>PixPirate new infection methodology.</em></p><p>It should be noted that sending WhatsApp phishing messages is an extremely effective tool for attackers to spread and infect other victims, for a couple of reasons:</p><ol><li>WhatsApp messages look more legitimate and reliable than SMS messages. Smishing is an already well-known technique by fraudsters and attackers to spread spam and malicious content, and users are aware of those types of malicious threats. However, that precaution and awareness is not as pronounced with WhatsApp messages.</li><li>As opposed to smishing attacks, where the sender tends to be unknown to the victim which can raise their suspicions, messages received via WhatsApp are often sent from a known contact, which gives the recipient a false sense of security that the message is legitimate.</li></ol><p>Using WhatsApp helps foster PixPirate infections and spread the malware to more victims and devices, even if they are not potential intended targets.</p><h2>Sending a WhatsApp message</h2><p>In the image below, the PixPirate function that is responsible for sending WhatsApp messages from the victim account is clearly visible. Note that the function gets three parameters:</p><ul><li>Contact list - a list of contacts to send the malicious WhatsApp message</li><li>messagesArr – array of messages to send</li><li>sleepTime – time to wait between each message sending</li></ul><p>The malware then uses the phone number from the victim’s contact list and uniquely creates an intent where the data field contains the key for sending a WhatsApp message to the targeted phone number with the text it would like to send. In the package message, PixPirate sets the package name of the WhatsApp application (“com.whatsapp”) and then it triggers the sending message action by starting the activity using the intent it just created.</p><p><strong><img alt="fig 7 - whatsapp_1.png" height="599" src="https://images3.cmp.optimizely.com/Zz1mY2RjNWNmYWFiN2QxMWVmYjdjNjE2OWYzN2FiYzU1Mg==" width="668"/></strong></p><p><em>Figure 7:<strong> </strong>Malware creating a WhatsApp message.</em></p><p>In the next image, after the message to be sent via PixPirate has been created, the malware locates the “send” button and it abuses the device’s Accessibility service to click on it, just like a human user would, to send the WhatsApp message to the intended recipients.</p><p><strong><img alt="fig 8 - whatsapp_2.png" height="146" src="https://images3.cmp.optimizely.com/Zz01MjNmZDg3MGFiN2UxMWVmODcyMTYyN2FiYzZlMzM5ZQ==" width="477"/></strong></p><p><em>Figure 8: Malware sending WhatsApp message function.</em></p><h2>Summary</h2><p>PixPirate is a dangerous remote access tool (RAT) malware campaign first seen in late 2021, but which has recently returned via a new campaign infecting users primarily in Brazil and India, with campaigns beginning to appear in Italy and Mexico. PixPirate’s threats and malicious activities are based on the malware’s unique accessibility capabilities, including being a RAT and having remote-control capabilities to ensure automatic fraud execution, theft of user data, spreading through WhatsApp messages, hiding and anti-removal, intercepting SMS, recording user activities and more. The malware also holds some anti-virtual machine (anti-vm) and obfuscation capabilities.</p><p>This latest iteration of the PixPirate malware also uses a new hiding technique to conceal its existence on the device, including hiding its icon on the home screen.</p><p>Early on in the malware’s lifecycle, PixPirate was identified only in Brazil, targeting Pix payment services and Brazilian banks. Today, however, the new PixPirate version and campaign identified by Trusteer Lab has spread to other regions in the world, with a specific focus on India. Although Trusteer hasn’t observed any Indian targets to date, our assumption is this is only the beginning of this heavily maintained malware, to the point that we may see PixPirate outgrow its name in the future.</p><h2>IOCs</h2><p>Downloader SHA256: 1196c9f7102224eb1334cef1b0b1eab070adb3826b714c5ebc932b0e19bffc55</p><p>Droppee SHA256: d723248b05b8719d5df686663c47d5789c323d04cd74b7d4629a1a1895e8f69a</p>" } </script>  <script id="post-schema" type="application/ld+json"> { "@context": "https://schema.org", "@type": "BreadcrumbList", "itemListElement": [ { "@type": "ListItem", "position": 1, "name": "Home", "item": "https://securityintelligence.com/" }, ] } </script> <div id="progressbar"> <amp-animation id="progress-animation" layout="nodisplay"> <script type="application/json"> { "duration": "1s", "iterations": "1", "fill": "both", "direction": "alternate", "animations": [{ "selector": "#progressbar", "keyframes": [{ "transform": "translateX(0)" }] }] } </script> </amp-animation> </div> <amp-position-observer target="post__content" intersection-ratios="0" viewport-margins="25vh 75vh" on="scroll:progress-animation.seekTo(percent=event.percent)" layout="nodisplay"></amp-position-observer> <div class="dark_background" style="background:black;"></div> <div class="container grid" style="background:black;">  <aside class="breadcrumbs "> <h1 class="breadcrumbs__page_title">What’s up India? PixPirate is back and spreading via WhatsApp</h1> </aside> </div> <div class="container grid hero_background "> <div class="grid__content post "> <div class="post__thumbnail"> <amp-img alt="Closeup on a smartphone in man's hands being held in front of his chest and close to his face" width="1200" height="630" layout="responsive" src="/wp-content/webp-express/webp-images/doc-root/wp-content/uploads/2024/11/Close-up-of-a-smartphone-in-a-male-hands.-The-concept-of-online-messaging-social-media-communication-browsing-the-internet-websites-reading-news.-Wireless-technologies-gadgets-630x330.jpeg.webp" srcset="/wp-content/webp-express/webp-images/doc-root/wp-content/uploads/2024/11/Close-up-of-a-smartphone-in-a-male-hands.-The-concept-of-online-messaging-social-media-communication-browsing-the-internet-websites-reading-news.-Wireless-technologies-gadgets-300x158.jpeg.webp 300w, /wp-content/webp-express/webp-images/doc-root/wp-content/uploads/2024/11/Close-up-of-a-smartphone-in-a-male-hands.-The-concept-of-online-messaging-social-media-communication-browsing-the-internet-websites-reading-news.-Wireless-technologies-gadgets-630x330.jpeg.webp 630w, /wp-content/webp-express/webp-images/doc-root/wp-content/uploads/2024/11/Close-up-of-a-smartphone-in-a-male-hands.-The-concept-of-online-messaging-social-media-communication-browsing-the-internet-websites-reading-news.-Wireless-technologies-gadgets.jpeg.webp 1200w, /wp-content/webp-express/webp-images/doc-root/wp-content/uploads/2024/11/Close-up-of-a-smartphone-in-a-male-hands.-The-concept-of-online-messaging-social-media-communication-browsing-the-internet-websites-reading-news.-Wireless-technologies-gadgets.jpeg.webp 2400w"> <amp-img fallback alt="Closeup on a smartphone in man's hands being held in front of his chest and close to his face" width="1200" height="630" layout="responsive" src="https://securityintelligence.com/wp-content/uploads/2024/11/Close-up-of-a-smartphone-in-a-male-hands.-The-concept-of-online-messaging-social-media-communication-browsing-the-internet-websites-reading-news.-Wireless-technologies-gadgets-630x330.jpeg" srcset="https://securityintelligence.com/wp-content/uploads/2024/11/Close-up-of-a-smartphone-in-a-male-hands.-The-concept-of-online-messaging-social-media-communication-browsing-the-internet-websites-reading-news.-Wireless-technologies-gadgets-300x158.jpeg 300w, https://securityintelligence.com/wp-content/uploads/2024/11/Close-up-of-a-smartphone-in-a-male-hands.-The-concept-of-online-messaging-social-media-communication-browsing-the-internet-websites-reading-news.-Wireless-technologies-gadgets-630x330.jpeg 630w, https://securityintelligence.com/wp-content/uploads/2024/11/Close-up-of-a-smartphone-in-a-male-hands.-The-concept-of-online-messaging-social-media-communication-browsing-the-internet-websites-reading-news.-Wireless-technologies-gadgets.jpeg 1200w, https://securityintelligence.com/wp-content/uploads/2024/11/Close-up-of-a-smartphone-in-a-male-hands.-The-concept-of-online-messaging-social-media-communication-browsing-the-internet-websites-reading-news.-Wireless-technologies-gadgets.jpeg 2400w"> </amp-img> </amp-img> </div> <div class="new_categoy"> <div class="category-container"> <div class="category"> <div class="theme"> <div class="form-check form-switch"> <div class="link-container"> <a href="#" class="theme-link" id="light-theme-link">Light</a> <a href="#" class="theme-link" id="dark-theme-link">Dark</a> </div> </div> </div> <hr class="separator"> <div class="author_date"> <div class="information"> <span class="date">November 26, 2024</span> <span class="author_category">By <a href="https://securityintelligence.com/author/nir-somech/" >Nir Somech</a> </span> <span class="author_category"><span class="span-reading-time rt-reading-time"><span class="rt-label rt-prefix"></span> <span class="rt-time"> 8</span> <span class="rt-label rt-postfix">min read</span></span></span> </div> </div> <hr class="separator"> <div class="title"> <a href="https://securityintelligence.com/category/topics/fraud-protection/"><span class="name_category">Fraud Protection<br> <a href="https://securityintelligence.com/category/topics/app-security/"><span class="name_other_category">Application Security<br> <a href="https://securityintelligence.com/category/topics/banking-financial-services-industry/"><span class="name_other_category">Banking & Finance<br> </span></a> </div> <div class="social-container" style="visibility: hidden;"> <hr class="separator"> <div class="social">  <a href="https://twitter.com/intent/tweet?text=What’s up India? PixPirate is back and spreading via WhatsApp&url=https://securityintelligence.com/posts/pixpirate-back-spreading-via-whatsapp/" target="_blank" rel="noopener noreferrer"><amp-img class="arrow" layout="fixed" height="26" width="26" src="https://securityintelligence.com/wp-content/themes/sapphire/images/social-icons/twitter.svg" alt="twitter"></amp-img></a> <a href="https://www.linkedin.com/shareArticle?url=https://securityintelligence.com/posts/pixpirate-back-spreading-via-whatsapp/" target="_blank" rel="noopener noreferrer"><amp-img class="arrow" layout="fixed" height="26" width="26" src="https://securityintelligence.com/wp-content/themes/sapphire/images/social-icons/linkedin.svg" alt="Linkedin" ></amp-img></a> <a href="https://www.facebook.com/sharer/sharer.php?u=https://securityintelligence.com/posts/pixpirate-back-spreading-via-whatsapp/" target="_blank" rel="noopener noreferrer"><amp-img class="arrow" layout="fixed" height="26" width="26" src="https://securityintelligence.com/wp-content/themes/sapphire/images/social-icons/facebook.svg" alt="facebook"></amp-img></a> <a href="https://securityintelligence.com/posts/pixpirate-back-spreading-via-whatsapp/" target="_blank" rel="noopener noreferrer"><amp-img class="arrow" layout="fixed" height="26" width="26" src="https://securityintelligence.com/wp-content/themes/sapphire/images/social-icons/link.svg" alt="An arrow pointing up"></amp-img></a> </div> </div> </div> <script> window.addEventListener('scroll', function() { var category = document.querySelector('.category'); var scrollPosition = window.scrollY; if (scrollPosition >= 0) { category.classList.add('sticky'); } else { category.classList.remove('sticky'); } }); // Function to set the light theme function setLightTheme(event, toSaveLocalStorage = true) { event.preventDefault(); const body = document.body; body.classList.remove('dark-theme'); // Save the user's theme preference in localStorage if (toSaveLocalStorage && !location.href.includes("/x-force/")) { setSiTheme('light'); } } // Function to set the dark theme function setDarkTheme(event, toSaveLocalStorage = true) { event.preventDefault(); const body = document.body; body.classList.add('dark-theme'); // Save the user's theme preference in localStorage if (toSaveLocalStorage && !location.href.includes("/x-force/")) { setSiTheme('dark'); } } // Add click event listeners to the theme links document.getElementById('light-theme-link').addEventListener('click', (event) => setLightTheme(event)); document.getElementById('dark-theme-link').addEventListener('click', (event) => setDarkTheme(event)); // Check localStorage to set the initial theme preference const themePreference = localStorage.getItem('si-theme-mode'); // Function to simulate a click event function simulateClick(handler, toSaveLocalStorage) { const event = new Event('click'); handler(event, toSaveLocalStorage); } // Apply the correct theme based on URL and preference if (location.href.includes("/x-force/")) { simulateClick(setDarkTheme, false); // Apply the dark theme for all x-force posts } else if (themePreference === 'dark') { simulateClick(setDarkTheme, true); // Apply the dark theme based on user preference } else if (themePreference === 'light') { simulateClick(setLightTheme, true); // Apply the light theme based on user preference (default) } else { simulateClick(setLightTheme, true); // Apply the light theme by default } </script> <script> const cookies = JSON.parse(localStorage.getItem("truste.eu.cookie.notice_preferences")); if (cookies && cookies.value === '2:') { document.querySelector('.social-container').style.visibility = 'visible'; } </script> </div> <main class="post__content post__content--continue_reading" id="post__content"> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd"> <html><body><h2>Quick recap</h2> <p>This blog post is the continuation of a <a href="https://securityintelligence.com/posts/pixpirate-brazilian-financial-malware/" >previous blog</a> regarding PixPirate malware. If you haven’t read the initial post, please take a couple of minutes to get caught up before diving into this additional content. As a reminder, PixPirate malware consists of two components: a downloader application and a <span class="resolved">droppee</span> application, and both are custom-made and operated by the same fraudster group. Although the traditional role of a downloader is to install the droppee on the victim device, with PixPirate, the downloader also <i>runs</i> the droppee. Without this operation by the PixPirate downloader, the droppee, i.e. the malware itself, would never run. In addition, the PixPirate downloader can send commands to the droppee for execution and has an active role in the droppee activities and operations.</p> <p>In the most basic terms, the PixPirate downloader pretends to be a legitimate authentication application that helps users secure their bank accounts.</p> <p><strong><amp-img src="https://images1.cmp.optimizely.com/Zz0yZDA4MmZlOGFiNzUxMWVmOTA2OGVhZDM2ZjJhYjBlYw==" layout="intrinsic" class="" alt="PixPirate 2 - fig 1.png" width="678" height="334" lightbox="lightbox"></amp-img></strong></p> <p><em>Figure 1: PixPirate downloader icons.</em></p> <p>The PixPirate downloader doesn’t exist in the Google Play Store, but it spreads through <a href="https://www.ibm.com/topics/smishing" target="_blank" rel="noopener nofollow" >Smishing</a> campaigns or a WhatsApp spam message from an infected user. In these cases, the victim is tricked into downloading and installing the downloader application. As it runs, the downloader prompts the target victim that there is an updated version of the application and asks for permission to install other untrusted apps, as a way to install the related PixPirate droppee.</p> <h2>The new PixPirate campaign</h2> <p>In recent months, the Trusteer research lab monitored and detected a new campaign of PixPirate running in Brazil, and directly attacking Brazilian banks. At the time of this blog, PixPirate still primarily targets the Pix payment services that are integrated with most Brazilian banking apps.</p> <p>In the current PixPirate campaign, Trusteer noticed the largest number of infections in Brazil (almost 70% of all infections), but with an additional reach that expanded to other markets in the world, including India and most recently Italy and Mexico. Outside of Brazil, India is the next-most infected country by PixPirate, with nearly 20% of the total infections in the world. Although no Indian banks appear in the PixPirate target list, the Trusteer research lab assumes the <a href="https://www.ibm.com/topics/malware" target="_blank" rel="noopener nofollow" >malware</a> developers are laying the foundation for future campaigns in India. One assumption for the infection spread in India is the widespread use of India’s United Payments Interface (UPI) instant payment service. The UPI is utilized by hundreds of millions of consumers in India, where it has become the country’s standard payment platform, and is regulated by <a href="https://www.rbi.org.in/" target="_blank" rel="noopener nofollow" >the Reserve Bank of India</a> (RBI).</p> <p><strong><amp-img src="https://images2.cmp.optimizely.com/Zz1hNTU3ZWUxMGFiNzYxMWVmYjZhMDIyOTFkNGY3NDU4OQ==" layout="intrinsic" class="" alt="PixPirate 2 - fig 2.png" width="677" height="424" lightbox="lightbox"></amp-img></strong><em>Figure 2: A pie graph showing PixPirate distribution across several countries.</em></p> <h2>PixPirate <span class="resolved">droppee</span> installation made easy</h2> <p>The newly identified PixPirate campaign also includes a new version of the downloader, which includes a link to a <a href="https://www.youtube.com/watch?app=desktop&v=TqjE5Y5CYfI" target="_blank" rel="noopener nofollow" >YouTube</a> video that explains and demonstrates to the target victim how to unknowingly install the droppee Android package kit (<a >APK) </a>and grant all the necessary permissions and capabilities in order to fully execute on the victim’s device. The YouTube video simulates a legit tutorial video explaining to the user how to install a legitimate financial service app, and to date has more than 78,000 views providing some scope of the infection’s reach, assuming every YouTube viewer has followed through and unknowingly installed the PixPirate malware.</p> <p>In the video, a user launches the downloader app for the first time, which simulates being a legitimate financial services application. The PixPirate downloader then asks the user to install an updated version of itself. Once the installation is complete, the victim has actually installed a new malicious application, rather than simply upgrading the downloader. This new app – the droppee app – is in fact the PixPirate malware. The PixPirate malware then remains incognito to the user by having no icon on the home screen of the infected device.</p> <p>As discussed in the <a href="https://securityintelligence.com/posts/pixpirate-brazilian-financial-malware/" >previous PixPirate blog, </a>remaining incognito to the user has many advantages, including giving the PixPirate malware a better chance to sustain a long infection period with the ability to conduct financial fraud. However, this also introduces a problem – without an icon, the victim cannot “start” or activate the malware manually, so who will do it? That’s where the PixPirate downloader comes back into play, as the resource that is responsible for running the malware. The previous Trusteer blog post described the innovative way the PixPirate downloader ran the droppee, but in this current campaign, Trusteer has detected a new way the downloader executes the malware, as described in the next section.</p> <h2>New PixPirate droppee new execution method</h2> <p>The previous Trusteer blog post assessed the method used by the PixPirate droppee to hide its icon and, as a result, the special technique used by the downloader in order to run the droppee. In the new PixPirate campaign, the downloader uses a new method for launching the droppee.</p> <p>In the new method, the downloader maintains the execution role of the invisible droppee. The droppee holds in the manifest activity with an intent filter with one of the following unique action names:</p> <ul> <li>“com.ticket.stage.Service”</li> <li>“com.ticket.action.Service”</li> <li>“com.sell.allday.Service”</li> </ul> <p>When the PixPirate downloader wants to run the correlated droppee, the first thing it needs to do is to get the droppee activity holding this specific unique action and the droppee’s package name. To do that, the downloader uses the API “<i>queryIntentActivities(android.content.Intent, int)”</i> with an argument of the intent with the desired action name. This function retrieves a list of all activities that hold an intent filter for the given intent. It returns a list of “ResolveInfo” objects containing one entry for each matching activity.</p> <p>We can see in the image below the function that is responsible for returning a list of all intents for all the activities of packages that contain one of the action names mentioned above. The PixPirate downloader starts with a for loop over a list of activity action names belonging to the PixPirate droppee using a call to the “<i>queryIntentActivities”</i> API.  This API returns a list of “ResolveInfo” objects containing all activities with one of the droppee action names. For each “ResolveInfo” object returned it creates an intent with the corresponding activity name and package name and stores it in an array. This array is returned by the function.</p> <p><strong><amp-img src="https://images2.cmp.optimizely.com/Zz1jNTMxMDE2NGFiN2ExMWVmYTFmZTVlY2YxNTcyYjBlNQ==" layout="intrinsic" class="" alt="fig 3 - get_droppee_packagenames.png" width="652" height="308" lightbox="lightbox"></amp-img></strong></p> <p><em><span style="color: #000000;">Figure 3: </span>PixPirate downloader function responsible for getting droppee launching activity.</em></p> <p>In the following function, we can see in the for loop a call to the function “get_potential_droppee_packagenames” that is responsible for returning a list of all intents for all activities of packages that contain one of the droppee action names. Then, it validates that the package name related to the returned intent is really the droppee package. If so, it adds other relevant and necessary data to the intent and uses the <i>“startActivity(android.content.Intent)”</i> API to start the relevant droppee activity and perform the action of running the droppee.</p> <p><strong><amp-img src="https://images3.cmp.optimizely.com/Zz04YjljNzFlNGFiN2IxMWVmODcyMTYyN2FiYzZlMzM5ZQ==" layout="intrinsic" class="" alt="fig 4 - run_droppee_function.png" width="677" height="270" lightbox="lightbox"></amp-img></strong></p> <p><em>Figure 4: PixPirate downloader function that runs and executes PixPirate droppee.</em></p> <h2>WhatsApp: Key player in PixPirate malware spreading technique</h2> <p>As part of the installation flow of PixPirate downloader on a device, the downloader checks to see if the WhatsApp instant messaging app is installed. The downloader contains in its “assets” folder the “WhatsApp” APK, so if the WhatsApp application is not installed on the victim’s device, the malware pushes the victim to install it.</p> <p><strong><amp-img src="https://images3.cmp.optimizely.com/Zz0wMGQyMDhiNmFiN2MxMWVmYTE4NGFhZTZmZWY5ZWVkYQ==" layout="intrinsic" class="" alt="fig 5 - downloader_assets_folder.png" width="317" height="122" lightbox="lightbox"></amp-img></strong></p> <p><em>Figure 5: Downloader assets.</em></p> <p>We can see in the image above the “assets” folder of the downloader APK, where  “wsv2.jpeg” stands for WhatsApp APK. The other files are different versions of the droppee APKs.</p> <p>Due to the size of the WhatsApp APK, we see the downloader is almost 100MB. Comparatively, the WhatsApp APK is abnormally large compared to other common finance malware downloaders that have relatively small code sections and little functionality, as they generally aim to only download and install the droppee (and not run them).</p> <p>The PixPirate Droppee uses the WhatsApp app to send malicious <a href="https://www.ibm.com/topics/phishing" target="_blank" rel="noopener nofollow" >phishing</a> messages through a victim’s WhatsApp account with the intent to spread itself and infect other devices. The malware has the ability to read the contact list of the victim, in addition to being able to add contacts, and then can send WhatsApp messages to a victim’s contacts or even WhatsApp groups to further the spread and infect more users.</p> <p>The new capabilities and functionality related to the WhatsApp app can include:</p> <ul> <li>Sending messages</li> <li>Deleting messages</li> <li>Creating groups and sending messages</li> <li>Reading and deleting the user contact list</li> <li>Adding and changing the user contact list</li> <li>Blocking and unblocking other WhatsApp user accounts</li> </ul> <p>While the WhatsApp messages are sending, the PixPirate malware uses an overlay technique to hide the device screen, so the victim won’t notice the malware is using the WhatsApp app.</p> <p><strong><amp-img src="https://images2.cmp.optimizely.com/Zz1lMjRiNGNjNmFiN2MxMWVmYTMxZmZhZDUxNDNkY2VkNQ==" layout="intrinsic" class="" alt="fig 6 - PixPirate infection methodology.jpg" width="665" height="231" lightbox="lightbox"></amp-img></strong></p> <p><em>Figure 6:<strong> </strong>PixPirate new infection methodology.</em></p> <p>It should be noted that sending WhatsApp phishing messages is an extremely effective tool for attackers to spread and infect other victims, for a couple of reasons:</p> <ol> <li>WhatsApp messages look more legitimate and reliable than SMS messages. Smishing is an already well-known technique by fraudsters and attackers to spread spam and malicious content, and users are aware of those types of malicious threats. However, that precaution and awareness is not as pronounced with WhatsApp messages.</li> <li>As opposed to smishing attacks, where the sender tends to be unknown to the victim which can raise their suspicions, messages received via WhatsApp are often sent from a known contact, which gives the recipient a false sense of security that the message is legitimate.</li> </ol> <p>Using WhatsApp helps foster PixPirate infections and spread the malware to more victims and devices, even if they are not potential intended targets.</p> <h2>Sending a WhatsApp message</h2> <p>In the image below, the PixPirate function that is responsible for sending WhatsApp messages from the victim account is clearly visible. Note that the function gets three parameters:</p> <ul> <li>Contact list – a list of contacts to send the malicious WhatsApp message</li> <li>messagesArr – array of messages to send</li> <li>sleepTime – time to wait between each message sending</li> </ul> <p>The malware then uses the phone number from the victim’s contact list and uniquely creates an intent where the data field contains the key for sending a WhatsApp message to the targeted phone number with the text it would like to send. In the package message, PixPirate sets the package name of the WhatsApp application (“com.whatsapp”) and then it triggers the sending message action by starting the activity using the intent it just created.</p> <p><strong><amp-img src="https://images3.cmp.optimizely.com/Zz1mY2RjNWNmYWFiN2QxMWVmYjdjNjE2OWYzN2FiYzU1Mg==" layout="intrinsic" class="" alt="fig 7 - whatsapp_1.png" width="668" height="599" lightbox="lightbox"></amp-img></strong></p> <p><em>Figure 7:<strong> </strong>Malware creating a WhatsApp message.</em></p> <p>In the next image, after the message to be sent via PixPirate has been created, the malware locates the “send” button and it abuses the device’s Accessibility service to click on it, just like a human user would, to send the WhatsApp message to the intended recipients.</p> <p><strong><amp-img src="https://images3.cmp.optimizely.com/Zz01MjNmZDg3MGFiN2UxMWVmODcyMTYyN2FiYzZlMzM5ZQ==" layout="intrinsic" class="" alt="fig 8 - whatsapp_2.png" width="477" height="146" lightbox="lightbox"></amp-img></strong></p> <p><em>Figure 8: Malware sending WhatsApp message function.</em></p> <h2>Summary</h2> <p>PixPirate is a dangerous remote access tool (RAT) malware campaign first seen in late 2021, but which has recently returned via a new campaign infecting users primarily in Brazil and India, with campaigns beginning to appear in Italy and Mexico. PixPirate’s threats and malicious activities are based on the malware’s unique accessibility capabilities, including being a RAT and having remote-control capabilities to ensure automatic fraud execution, theft of user data, spreading through WhatsApp messages, hiding and anti-removal, intercepting SMS, recording user activities and more. The malware also holds some anti-virtual machine (anti-vm) and obfuscation capabilities.</p> <p>This latest iteration of the PixPirate malware also uses a new hiding technique to conceal its existence on the device, including hiding its icon on the home screen.</p> <p>Early on in the malware’s lifecycle, PixPirate was identified only in Brazil, targeting Pix payment services and Brazilian banks. Today, however, the new PixPirate version and campaign identified by Trusteer Lab has spread to other regions in the world, with a specific focus on India. Although Trusteer hasn’t observed any Indian targets to date, our assumption is this is only the beginning of this heavily maintained malware, to the point that we may see PixPirate outgrow its name in the future.</p> <h2>IOCs</h2> <p>Downloader SHA256: 1196c9f7102224eb1334cef1b0b1eab070adb3826b714c5ebc932b0e19bffc55</p> <p>Droppee SHA256: d723248b05b8719d5df686663c47d5789c323d04cd74b7d4629a1a1895e8f69a</p> </body></html> <div id="nc_pixel"></div><div class="post__tags"> <a href="https://securityintelligence.com/tag/banking/" rel="tag">Banking</a><span> | </span><a href="https://securityintelligence.com/tag/banking-malware/" rel="tag">Banking Malware</a><span> | </span><a href="https://securityintelligence.com/tag/financial-malware/" rel="tag">Financial Malware</a><span> | </span><a href="https://securityintelligence.com/tag/malware/" rel="tag">Malware</a><span> | </span><a href="https://securityintelligence.com/tag/phishing/" rel="tag">Phishing</a><span> | </span><a href="https://securityintelligence.com/tag/smishing/" rel="tag">SMiShing</a><span> | </span><a href="https://securityintelligence.com/tag/whatsapp/" rel="tag">WhatsApp</a></div> <div class="post__author author "> <div class="author__box"> <div class="author__photo" style="background-image: url(https://securityintelligence.com/wp-content/themes/sapphire/images/default-pic.jpg);"></div> <div class="author__infos"> <div class="author__name"><a href="https://securityintelligence.com/author/nir-somech/" >Nir Somech</a></div> <div class="author__role">Malware Researcher – Trusteer IBM</div> </div> </div> </div>  <style type="text/css"> .post__content--continue_reading{ max-height: 725px; overflow:hidden; transition: max-height cubic-bezier(0.9, 0, 1, 1) 2s; } @media (max-width: 768px) { .post__content--continue_reading{ max-height: 1225px; } } </style> <div class="continue_reading_wrapper" id="continue_reading"> <button on="tap: post__content.toggleClass(class=post__content--continue_reading), continue_reading.toggleClass(class=continue_reading_wrapper--clicked)" tabindex="0" role="button">Continue Reading</button> </div> </main> </div> </div> <aside class="grid__sidebar post__sidebar "> <div class="mobile_divider"></div> <header class="post__sidebar__header">POPULAR</header>  <article class="article article_grid article__mobile--card">  <a class="exclusive_article__category_link" href="https://securityintelligence.com/articles/what-telegrams-recent-policy-shift-means-for-cyber-crime/" aria-label="What Telegram’s recent policy shift means for cyber crime"> <div class="article__img"> <amp-img alt="" width="1200" height="630" layout="responsive" src="/wp-content/webp-express/webp-images/doc-root/wp-content/uploads/2024/11/A-dark-mystery-hand-typing-on-a-laptop-computer-at-night-630x330.jpeg.webp"> <amp-img fallback alt="" width="1200" height="630" layout="responsive" src="https://securityintelligence.com/wp-content/uploads/2024/11/A-dark-mystery-hand-typing-on-a-laptop-computer-at-night-630x330.jpeg"> </amp-img> </amp-img> </div> </a>  <div class="article__text_container" style="-webkit-box-orient: vertical;">  <a class="article__category_link" href="https://securityintelligence.com/category/topics/risk-management/" aria-label="https://securityintelligence.com/category/topics/risk-management/"> Risk Management </a>  <span class="article__date"> November 6, 2024 </span>  <a href="https://securityintelligence.com/articles/what-telegrams-recent-policy-shift-means-for-cyber-crime/" class="article__content_link" aria-label="What Telegram’s recent policy shift means for cyber crime"> <h2 class="article__title">What Telegram’s recent policy shift means for cyber crime</h2> <p class="article__excerpt" style="-webkit-box-orient: vertical;"> <span class="article__read_time"><span class="span-reading-time rt-reading-time"><span class="rt-label rt-prefix"></span> <span class="rt-time"> 4</span> <span class="rt-label rt-postfix">min read</span></span> - </span>Since its launch in August 2013, Telegram has become the go-to messaging app for privacy-focused users. To start using the app, users can sign up using either their real phone number or an anonymous number purchased from the Fragment blockchain… </p> </a> </div> </article> <article class="article article_grid article__mobile--card">  <a class="exclusive_article__category_link" href="https://securityintelligence.com/articles/communication-platforms-major-role-in-data-breach-risks/" aria-label="Communication platforms play a major role in data breach risks"> <div class="article__img"> <amp-img alt="Looking over the shoulder of a businessman sitting at a desk on a video conference call" width="1200" height="630" layout="responsive" src="/wp-content/webp-express/webp-images/doc-root/wp-content/uploads/2024/11/Virtual-Video-Conference-Call-Meeting-630x330.jpeg.webp"> <amp-img fallback alt="Looking over the shoulder of a businessman sitting at a desk on a video conference call" width="1200" height="630" layout="responsive" src="https://securityintelligence.com/wp-content/uploads/2024/11/Virtual-Video-Conference-Call-Meeting-630x330.jpeg"> </amp-img> </amp-img> </div> </a>  <div class="article__text_container" style="-webkit-box-orient: vertical;">  <a class="article__category_link" href="https://securityintelligence.com/category/topics/data-protection/" aria-label="https://securityintelligence.com/category/topics/data-protection/"> Data Protection </a>  <span class="article__date"> November 19, 2024 </span>  <a href="https://securityintelligence.com/articles/communication-platforms-major-role-in-data-breach-risks/" class="article__content_link" aria-label="Communication platforms play a major role in data breach risks"> <h2 class="article__title">Communication platforms play a major role in data breach risks</h2> <p class="article__excerpt" style="-webkit-box-orient: vertical;"> <span class="article__read_time"><span class="span-reading-time rt-reading-time"><span class="rt-label rt-prefix"></span> <span class="rt-time"> 4</span> <span class="rt-label rt-postfix">min read</span></span> - </span>Every online activity or task brings at least some level of cybersecurity risk, but some have more risk than others. Kiteworks Sensitive Content Communications Report found that this is especially true when it comes to using communication tools. When it… </p> </a> </div> </article> <article class="article article_grid article__mobile--card">  <a class="exclusive_article__category_link" href="https://securityintelligence.com/posts/autonomous-security-for-cloud-in-aws/" aria-label="Autonomous security for cloud in AWS: Harnessing the power of AI for a secure future"> <div class="article__img"> <amp-img alt="Side view of a male sitting at a desk working on a computer in an office" width="1200" height="630" layout="responsive" src="/wp-content/webp-express/webp-images/doc-root/wp-content/uploads/2024/11/Side-view-of-focused-male-developer-coding-on-computer-while-sitting-at-working-at-office-630x330.jpeg.webp"> <amp-img fallback alt="Side view of a male sitting at a desk working on a computer in an office" width="1200" height="630" layout="responsive" src="https://securityintelligence.com/wp-content/uploads/2024/11/Side-view-of-focused-male-developer-coding-on-computer-while-sitting-at-working-at-office-630x330.jpeg"> </amp-img> </amp-img> </div> </a>  <div class="article__text_container" style="-webkit-box-orient: vertical;">  <a class="article__category_link" href="https://securityintelligence.com/category/topics/cloud-protection/" aria-label="https://securityintelligence.com/category/topics/cloud-protection/"> Cloud Security </a>  <span class="article__date"> November 14, 2024 </span>  <a href="https://securityintelligence.com/posts/autonomous-security-for-cloud-in-aws/" class="article__content_link" aria-label="Autonomous security for cloud in AWS: Harnessing the power of AI for a secure future"> <h2 class="article__title">Autonomous security for cloud in AWS: Harnessing the power of AI for a secure future</h2> <p class="article__excerpt" style="-webkit-box-orient: vertical;"> <span class="article__read_time"><span class="span-reading-time rt-reading-time"><span class="rt-label rt-prefix"></span> <span class="rt-time"> 3</span> <span class="rt-label rt-postfix">min read</span></span> - </span>As the digital world evolves, businesses increasingly rely on cloud solutions to store data, run operations and manage applications. However, with this growth comes the challenge of ensuring that cloud environments remain secure and compliant with ever-changing regulations. This is… </p> </a> </div> </article>  <div class="billboard_wrapper"> <a href="https://www.ibm.com/reports/data-breach?utm_medium=OSocial&utm_source=Blog&utm_content=RSRWW&utm_id=si-blog-right-rail " aria-label="A SPONSORED flag "> <amp-img layout='responsive' widht='300' height='250' src="https://securityintelligence.com/wp-content/uploads/2024/07/SIB_CODB_rightrail_banners2024-think_600x1200.png" alt="CODB right rail banner with red, blue, & purple lines in a wide circular pattern"> </amp-img> </a> </div> </aside> </div> <script> const kaltura = document.querySelectorAll("[data-widget=\"videoplayer\"]") if (kaltura != null) { kaltura.forEach(function(item){ const kId = item.id + '--' + item.dataset.videoid; document.getElementById(item.id).id = kId; getKalturaVideo(item); }) } </script> <div class="card_container_background "> <section class="container cards"> <h3>More from Fraud Protection</h3> <div class="cards__wrapper"> <article class="article article--card cards__article_grid ">  <a class="exclusive_article__category_link" href="https://securityintelligence.com/posts/unveiling-latest-banking-trojan-threats-latam/"> <div class="article__img"> <amp-img alt="Closeup on a red computer screen displaying code covered by a large ALERT message" width="1200" height="630" layout="responsive" src="/wp-content/webp-express/webp-images/doc-root/wp-content/uploads/2024/07/computer-security-630x330.jpeg.webp"> <amp-img fallback alt="Closeup on a red computer screen displaying code covered by a large ALERT message" width="1200" height="630" layout="responsive" src="https://securityintelligence.com/wp-content/uploads/2024/07/computer-security-630x330.jpeg"> </amp-img> </amp-img> </div> </a>  <div class="article__text_container" style="-webkit-box-orient: vertical;">  <div class="article__eyebrow"> <span class="article__date"> July 25, 2024 </span> </div>  <a href="https://securityintelligence.com/posts/unveiling-latest-banking-trojan-threats-latam/" class="article__content_link"> <div class="article__direction"> <h2 class="article__title"> Unveiling the latest banking trojan threats in LATAM </h2> <p class="article__excerpt" style="-webkit-box-orient: vertical;"> <span class="article__read_time"><span class="span-reading-time rt-reading-time"><span class="rt-label rt-prefix"></span> <span class="rt-time"> 9</span> <span class="rt-label rt-postfix">min read</span></span> - </span>This post was made possible through the research contributions of Amir Gendler.In our most recent research in the Latin American (LATAM) region, we at IBM Security Lab have observed a surge in campaigns linked with malicious Chrome extensions. These campaigns primarily target Latin America, with a particular emphasis on its financial institutions.In this blog post, we’ll shed light on the group responsible for disseminating this campaign. We’ll delve into the method of web injects and Man in the Browser, and… </p> </div> </a> </div> </article> <article class="article article--card cards__article_grid ">  <a class="exclusive_article__category_link" href="https://securityintelligence.com/posts/pixpirate-brazilian-financial-malware/"> <div class="article__img"> <amp-img alt="A smartphone displaying a full red screen with malware warning set on a blue circuit board" width="1200" height="630" layout="responsive" src="/wp-content/webp-express/webp-images/doc-root/wp-content/uploads/2024/01/smartphone-malware-concept.-3d-render-630x330.jpeg.webp"> <amp-img fallback alt="A smartphone displaying a full red screen with malware warning set on a blue circuit board" width="1200" height="630" layout="responsive" src="https://securityintelligence.com/wp-content/uploads/2024/01/smartphone-malware-concept.-3d-render-630x330.jpeg"> </amp-img> </amp-img> </div> </a>  <div class="article__text_container" style="-webkit-box-orient: vertical;">  <div class="article__eyebrow"> <span class="article__date"> March 13, 2024 </span> </div>  <a href="https://securityintelligence.com/posts/pixpirate-brazilian-financial-malware/" class="article__content_link"> <div class="article__direction"> <h2 class="article__title"> PixPirate: The Brazilian financial malware you can’t see </h2> <p class="article__excerpt" style="-webkit-box-orient: vertical;"> <span class="article__read_time"><span class="span-reading-time rt-reading-time"><span class="rt-label rt-prefix"></span> <span class="rt-time"> 10</span> <span class="rt-label rt-postfix">min read</span></span> - </span>Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this… </p> </div> </a> </div> </article> <article class="article article--card cards__article_grid ">  <a class="exclusive_article__category_link" href="https://securityintelligence.com/posts/fakext-targeting-latin-american-banks/"> <div class="article__img"> <amp-img alt="Side view of a laptop screen reflecting sun glare and a hand holding a credit card" width="1200" height="630" layout="responsive" src="/wp-content/webp-express/webp-images/doc-root/wp-content/uploads/2024/03/Man-using-his-credit-card-online-for-shopping-and-banking-with-sunlight-coming-through-window-630x330.jpeg.webp"> <amp-img fallback alt="Side view of a laptop screen reflecting sun glare and a hand holding a credit card" width="1200" height="630" layout="responsive" src="https://securityintelligence.com/wp-content/uploads/2024/03/Man-using-his-credit-card-online-for-shopping-and-banking-with-sunlight-coming-through-window-630x330.jpeg"> </amp-img> </amp-img> </div> </a>  <div class="article__text_container" style="-webkit-box-orient: vertical;">  <div class="article__eyebrow"> <span class="article__date"> March 7, 2024 </span> </div>  <a href="https://securityintelligence.com/posts/fakext-targeting-latin-american-banks/" class="article__content_link"> <div class="article__direction"> <h2 class="article__title"> New Fakext malware targets Latin American banks </h2> <p class="article__excerpt" style="-webkit-box-orient: vertical;"> <span class="article__read_time"><span class="span-reading-time rt-reading-time"><span class="rt-label rt-prefix"></span> <span class="rt-time"> 6</span> <span class="rt-label rt-postfix">min read</span></span> - </span>This article was made possible thanks to contributions from Itzhak Chimino, Michael Gal and Liran Tiebloom. Browser extensions have become integral to our online experience. From productivity tools to entertainment add-ons, these small software modules offer customized features to suit individual preferences. Unfortunately, extensions can prove useful to malicious actors as well. Capitalizing on the favorable characteristics of an add-on, an attacker can leverage attributes like persistence, seamless installation, elevated privileges and unencrypted data exposure to distribute and operate banking… </p> </div> </a> </div> </article> </div> </section> </div>  <script type="module" src="https://1.www.s81c.com/common/carbon-for-ibm-dotcom/version/v1.31.0-rc.0/cta-section.min.js"></script> <script type="module" src="https://1.www.s81c.com/common/carbon-for-ibm-dotcom/tag/v1/latest/cta-section.min.js"></script> <script type="module" src="https://1.www.s81c.com/common/carbon-for-ibm-dotcom/tag/v1/next/cta-section.min.js"></script> <div style="background-color: #161616;"> <dds-cta-section data-autoid="dds--cta-section" children-custom-class="" class="container SI_padding"> <dds-cta-block no-border="" data-autoid="dds--cta-block"> <dds-content-block-heading class="copy" role="heading" aria-level="2" data-autoid="dds--content-block__heading" slot="heading"> <h2 >Topic updates</h2> </dds-content-block-heading> <dds-content-block-copy data-autoid="dds--content-block__copy" size="md" slot="copy"> <dds-content-block-paragraph data-autoid="dds--content-block-paragraph" class="copy"> Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research. </dds-content-block-paragraph> <div role="list" class="list_newletter"> <dds-button-cta data-autoid="dds-cta" cta-style="button" class="copy" cta-type="local" href="https://www.ibm.com/account/reg/us-en/signup?formid=news-urx-51966" kind="primary" icon-layout="" size=""> Subscribe today </dds-button-cta> </div> </dds-content-block-copy> </dds-cta-block> </dds-cta-section> </div> <dds-footer-container></dds-footer-container> <script> document.addEventListener('DOMContentLoaded', () => { const boxstyle = document.querySelector('.button2'); const removePadding = document.querySelector('dds-cta-section'); if (boxstyle) { const shadowRoot = boxstyle.shadowRoot; const bxContentSsectionDOM = shadowRoot.querySelector('.bx--btn'); if (bxContentSsectionDOM) { bxContentSsectionDOM.style.color = 'white'; bxContentSsectionDOM.style.borderColor = 'white'; bxContentSsectionDOM.addEventListener('mouseover', () => { bxContentSsectionDOM.style.color = 'white'; bxContentSsectionDOM.style.borderColor = 'white'; bxContentSsectionDOM.style.backgroundColor = 'rgba(141, 141, 141, 0.16)'; // }); // when mouse leave the element bxContentSsectionDOM.addEventListener('mouseout', () => { bxContentSsectionDOM.style.color = 'white'; bxContentSsectionDOM.style.borderColor = 'white'; bxContentSsectionDOM.style.backgroundColor = 'transparent'; // Reset background color }); } } if(removePadding){ const shadowRoot = removePadding.shadowRoot; const removespace = shadowRoot.querySelector('.bx--content-section__leading'); if(removespace){ removespace.style.display = 'none'; } } }); document.querySelector("dds-footer-container").size = 'default'; //Uncomment this to add a custom links. // document.querySelector("dds-footer-container").adjunctLinks = [{ // 'title': 'IBM Custom Link', // 'link': 'https://ibm.com' // }, // { // 'title': 'IBM Custom Link2', // 'link': 'https://ibm.com' // } // ]; </script>  <div style="background-color: #13171a;"> <div class="container">  <section id="footer" class="footer">  <div class="footer__logo"> <amp-img width="280" height="31" layout="responsive" src="https://securityintelligence.com/wp-content/themes/sapphire/images/logo-white.svg" alt="Security Intelligence"></amp-img> </div>  <div class="footer__copy"><p>Analysis and insights from hundreds of the brightest minds in the cybersecurity industry to help you prove compliance, grow business and stop threats.</p> </div>  <div class="footer__list"> <a href="/news/" class="footer__link">Cybersecurity News</a> <a href="/category/topics/" class="footer__link">By Topic</a> <a href="/category/industries/" class="footer__link">By Industry</a> <a href="/series/" class="footer__link">Exclusive Series</a> <a href="/x-force/" class="footer__link">X-Force</a> <a href="/media/" class="footer__link">Podcast</a> <a href="/events/" class="footer__link">Events</a> <a href="/about-us/" class="footer__link">Contact</a> <a href="/about-us/" class="footer__link">About Us</a> </div>  <div class="footer__social-networks"> <div class="headline">Follow us on social</div> <a href="http://www.twitter.com/ibmsecurity" aria-label="Twitter" class="footer__icon" style="left:-4px;"> <svg xmlns="http://www.w3.org/2000/svg" width="28" height="28" viewBox="0 0 28 28" fill="#FFFFFF"> <path d="M24 4.557c-.883.392-1.832.656-2.828.775 1.017-.609 1.798-1.574 2.165-2.724-.951.564-2.005.974-3.127 1.195-.897-.957-2.178-1.555-3.594-1.555-3.179 0-5.515 2.966-4.797 6.045-4.091-.205-7.719-2.165-10.148-5.144-1.29 2.213-.669 5.108 1.523 6.574-.806-.026-1.566-.247-2.229-.616-.054 2.281 1.581 4.415 3.949 4.89-.693.188-1.452.232-2.224.084.626 1.956 2.444 3.379 4.6 3.419-2.07 1.623-4.678 2.348-7.29 2.04 2.179 1.397 4.768 2.212 7.548 2.212 9.142 0 14.307-7.721 13.995-14.646.962-.695 1.797-1.562 2.457-2.549z" /> </svg> </a> <a href="http://www.linkedin.com/company/ibm-security" aria-label="LinkedIn" class="footer__icon" style="justify-self: center;"> <svg xmlns="http://www.w3.org/2000/svg" width="28" height="28" viewBox="0 0 28 28" fill="#FFFFFF"> <path d="M4.98 3.5c0 1.381-1.11 2.5-2.48 2.5s-2.48-1.119-2.48-2.5c0-1.38 1.11-2.5 2.48-2.5s2.48 1.12 2.48 2.5zm.02 4.5h-5v16h5v-16zm7.982 0h-4.968v16h4.969v-8.399c0-4.67 6.029-5.052 6.029 0v8.399h4.988v-10.131c0-7.88-8.922-7.593-11.018-3.714v-2.155z" /> </svg> </a> <a href="https://www.youtube.com/@IBMTechnology" aria-label="YouTube" class="footer__icon" style="justify-self: end;"> <svg xmlns="http://www.w3.org/2000/svg" width="28" height="28" viewBox="0 0 28 28" fill="#FFFFFF"> <path d="M19.615 3.184c-3.604-.246-11.631-.245-15.23 0-3.897.266-4.356 2.62-4.385 8.816.029 6.185.484 8.549 4.385 8.816 3.6.245 11.626.246 15.23 0 3.897-.266 4.356-2.62 4.385-8.816-.029-6.185-.484-8.549-4.385-8.816zm-10.615 12.816v-8l8 3.993-8 4.007z" /> </svg> </a> </div> </section> </div> </div> <div style="background-color:black"> <div class="container">  <section class="utility_bar">  <div class="utility_bar__links" aria-label="Footer Navigation"> <a href="http://www.ibm.com?ce=ISM0484&ct=SWG&cmp=IBMSocial&cm=h&cr=Security&ccy=US" target="_blank" rel="noopener, noreferrer">© 2024 IBM</a> <a href="https://www.ibm.com/contact/?ce=ISM0484&ct=SWG&cmp=IBMSocial&cm=h&cr=Security&ccy=US" target="_blank" rel="noopener, noreferrer">Contact</a> <a href="https://www.ibm.com/privacy/?ce=ISM0484&ct=SWG&cmp=IBMSocial&cm=h&cr=Security&ccy=US" target="_blank" rel="noopener, noreferrer">Privacy</a> <a href="https://www.ibm.com/legal/?ce=ISM0484&ct=SWG&cmp=IBMSocial&cm=h&cr=Security&ccy=US&cm_mc_uid=03001744655915532865554&cm_mc_sid_50200000=84159441565120380187" target="_blank" rel="noopener, noreferrer">Terms of use</a> <a href="https://www.ibm.com/accessibility/?ce=ISM0484&ct=SWG&cmp=IBMSocial&cm=h&cr=Security&ccy=US" target="_blank" rel="noopener, noreferrer">Accessibility</a> <a href="#" onclick="truste.eu.clickListener();return false;" target="_blank" rel="noopener, noreferrer">Cookie Preferences</a> </div>  <div class="utility_bar__sponsor"> <a href="http://ibm.com/security?ce=ISM0484&ct=SWG&cmp=IBMSocial&cm=h&cr=Security&ccy=US" target="_blank" data-icon="B" class="icon ibm" rel="noopener, noreferrer" style="padding-right:0px"> <span>Sponsored by <svg id="Layer_1" data-name="Layer 1" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 31.97 14.06"> <defs> <style> .cls-1 { fill: #fff; } </style> </defs> <title>si-icon-eightbarfeature</title> <path class="cls-1" d="M27.17,12.6h4.21v.84H27.17Zm0-1.68h4.21v.84H27.17Zm0-1.68h2.52v.84H27.17Zm0-1.69h2.52V8.4H27.17Zm0-1.68h2.52v.84H27.17Zm-.84-4.2.28-.85h4.77v.85Zm-.56,1.68.29-.84h5.32v.84ZM25.22,5l.28-.84h4.19V5Zm-.56,1.68L25,5.87h2.22l-.27.84Zm0,6.73-.28-.84H25Zm-.55-1.68-.29-.84H25.5l-.28.84Zm-.56-1.68-.27-.84H26l-.27.84ZM23,8.4l-.29-.85h3.9l-.28.85Zm-.57-1.69-.27-.84h2.22l.28.84Zm-2.8,2.53h2.53v.84H19.63Zm0-1.69h2.53V8.4H19.63Zm0-1.68h2.53v.84H19.63Zm0-.84V4.19h4.19l.29.84ZM18,12.6h4.21v.84H18Zm0-1.68h4.21v.84H18Zm0-7.57V2.51h5.32l.28.84Zm0-1.68V.82h4.76l.29.85ZM14.16,9.24H17a2.23,2.23,0,0,1,.07.37,2.49,2.49,0,0,1,0,.47H14.16Zm0-5h2.95a2.38,2.38,0,0,1,0,.46A2.18,2.18,0,0,1,17,5H14.16ZM9.11,9.24h2.52v.84H9.11Zm0-1.69H16a5,5,0,0,1,.4.4,2,2,0,0,1,.32.45H9.11Zm0-1.68h7.57a2,2,0,0,1-.32.45,4.89,4.89,0,0,1-.4.39H9.11Zm0-1.68h2.52V5H9.11ZM7.42,12.6H16a3.09,3.09,0,0,1-1,.62,3.73,3.73,0,0,1-1.32.22H7.42Zm0-1.68H17a2.47,2.47,0,0,1-.15.46,2.24,2.24,0,0,1-.21.38H7.42Zm0-8.41h9.22a1.91,1.91,0,0,1,.21.38,2.47,2.47,0,0,1,.15.46H7.42Zm0-1.69H13.6a3.73,3.73,0,0,1,1.32.23,3.09,3.09,0,0,1,1,.62H7.42Zm-5,8.42H4.9v.84H2.38Zm0-1.69H4.9V8.4H2.38Zm0-1.68H4.9v.84H2.38Zm0-1.68H4.9V5H2.38ZM.69,12.6H6.58v.84H.69Zm0-1.68H6.58v.84H.69Zm0-8.41H6.58v.84H.69ZM.69.82H6.58v.85H.69Z" /> </svg> </span> </a> </div> </section> </div> </div> <script> window._appInfo = window._appInfo || {}; window._appInfo.newsCredAPIKey = "YXJ0aWNsZT02MTIzM2Q1Yzc5ZWExMWVmOWRjNWMyMzk2MWUyNTBhOA=="; </script>  <script type="text/javascript" id="qppr_frontend_scripts-js-extra"> /* <![CDATA[ */ var qpprFrontData = {"linkData":{"https:\/\/securityintelligence.com\/defining-security-intelligence\/":[0,0,"https:\/\/securityintelligence.com\/defintion-security-intelligence\/#.VS_NwpNnuZA"],"https:\/\/securityintelligence.com\/security-vulnerability-management-its-about-outcomes-not-activity\/":[0,0,""]},"siteURL":"https:\/\/securityintelligence.com","siteURLq":"https:\/\/securityintelligence.com"}; /* ]]> */ </script> <script type="text/javascript" src="https://securityintelligence.com/wp-content/plugins/quick-pagepost-redirect-plugin/js/qppr_frontend_script.min.js?ver=5.2.4" id="qppr_frontend_scripts-js"></script> <script> setTimeout(() => { document.querySelector(".related_content").style.visibility = 'visible'; document.querySelector(".related_content.article.article_grid.article__mobile--card.article--IBM_blog > c4d-card > c4d-card-footer").shadowRoot.querySelector("#link").style.justifyContent = 'flex-start'; }, 100); </script> </body> </html>

CINXE.COM

What’s up India? PixPirate is back and spreading via WhatsApp