Check Point Research: PixStealer new Android banking Trojan


PixStealer: Check Point Research (CPR), the research unit of Check Point Software Technologies, for cyberattacks on users of PIX, the instant payment system managed by the Central Bank of Brazil, has discovered that cybercriminals have tricked users into transferring the entire balance of their account to another bank account, distributing two malicious applications in the Google Play Store.

Applications have now been removed from the Google Play Store, but Check Point Software recommends that users immediately remove malicious applications from their mobile phones.

pix blog header 1

Check Point Research (CPR) has detected cyberattacks against users of PIX, the instant payment solution developed and managed by the Central Bank of Brazil. The attackers distributed two different variants of banking malware, called PixStealer and MalRhino, through two different malicious applications in the Google Play Store to carry out their attacks. Both malicious applications were designed to steal victims' money through user interaction and the original PIX application.

PIX is considered the number one payment solution in Brazil, handling more than 40 million transactions a day and managing $ 4,7 billion a week.

 

 Name Package Name Md5
Inter bankbr.com.intermidium2ef536239b84195e099013cfda06d3dd
Nubankcom.nu.production678212691ab75ea925633512d9e3b5f4
Nextbr.com.bradesco.nextd74e8b32e9d704633bd69581a15f55de
Santandercom.santander.app38737771e1ddab60c062cd0be323e89b
UOL PagBankingbr.com.uol.ps.myaccount5b3deb74ec783b05645b3fff5d56667d
Banco origafterbr.com.original.bank64679e8af5f494db86fb7b7312e79ba9

PixStealer transfers account amounts to intruder accounts

The first variant is called PixStealer. In what CPR calls a "slim" form, the attackers designed PixStealer with only one option: to transfer the victim's money to an account controlled by the perpetrator.

1

PixStealer's "slim" presentation is a reference to the variant's ability to operate offline with a command and control (C&C) server, promoting unobtrusive detection. CPR eventually found PixStealer distributed in the Google Play Store as a fake PagBank Cashback service, targeting only the Brazilian PagBank.

When a user opens the PIX bank application, Pixstealer displays an overlay window on the victim, where the user cannot see the intruder's movements. Behind the overlay window, the attacker recovers the available amount of money and transfers the money, often the entire account balance, to another account.

MalRhino completely steals banking applications

CPR has found a more advanced variant of banking malware capable of capturing the entire PIX application for mobile and other banking applications. Named MalRhino, CPR found the most sophisticated version of the malware in a fake iToken app for Brazilian Inter Bank - which is also distributed through Google's Play Store. MalRhino displays a message to its victim trying to persuade him / her to grant access. Once this is done, MalRhino can:

  • Get the installed application and send the list to the C & C Server along with the victim's device information.
  • Execute banking applications
  • Recover the pin from the Nubank application

IOCs

PixStealer

28e8170485bbee78e1a54aae6a955e64fe299978cbb908da60e8663c794fd195 com.pagcashback.beta c0585b792c0a9b8ef99b2b31edb28c5dac23f0c9eb47a0b800de848a9ab4b06c com.pagback.beta

8b4f064895f8fac9a5f25a900ff964828e481d5df2a2c2e08e17231138e3e902 com.gnservice.beta

MalRhino

2990f396c120b33c492d02e771c9f1968239147acec13afc9f500acae271aa11 com.gnservice.beta

Comment by Lotem Finkelsteen, Head of Threat Intelligence at Check Point Software Technologies:

"We live in an age where cybercriminals do not have to hack into a bank to steal money. All a cyber criminal needs to do is understand the platforms used by banks and their respective pitfalls. There is a growing trend where cybercriminals are chasing institutional banking applications. This time, we detected cyberattacks against users of Brazil's No. 1 banking app.

The attack involved two malicious applications, which at one time could be found in the Google Play Store, but no longer.

The attackers presented a thin version, which performed an overlay when using the legal application and a complete version that has the ability to eventually occupy the entire banking application. We believe that these cyber attacks are a strong sign that the criminals in it tend to develop their activities around the android banking malware, with the aim of transferring victims' money to their own accounts. In a world where everything is done remotely because of Covid, we recommend that users immediately remove malicious applications from their mobile phones.

I also urge all users of banking applications to beware of banking malware that is embedded in mobile applications. "CPR will continue to monitor the latest technological trends and the way cybercriminals exploit them."


Read them Technology News from all over the world, with the validity of iGuRu.gr

Follow us on Google News iGuRu.gr at Google news