Check Point Research (CPR) discovers cyber attacks on users of PIX, the instant payment system managed by the Brazilian Central Bank. Cyber criminals tricked users into transferring their entire account balances into another bank account, by distributing two malicious applications on Google’s Play Store.
- Attackers lure victims into installing fake malicious mobile applications
- Malicious mobile applications trick victims into granting accessibility permissions
- Once granted, attackers can access the PIX payment system and proceed to steal money
- The app has since been removed from Google’s Play Store
- Check Point recommends users remove the malicious apps from their mobile phones immediately
29th September 2021 – Check Point Research (CPR) detected cyber attacks against the users of PIX, the instant payment solution created and managed by the Brazilian Central Bank. The attackers distributed two different variants of banking malware, named PixStealer and MalRhino, through two separate malicious applications on Google’s Play Store to carry out their attacks. Both malicious applications were designed to steal money of victims through user interaction and the original PIX application.
PIX is considered the number one payment solution in Brazil, processing over 40 million transactions a day and moving 4.7 billion dollars a week.
PixStealer Funnels Entire Account Balances to Attacker Accounts
The first variant is dubbed PixStealer. Presented in what CPR calls a “slim” form, the attackers designed PixStealer with only one capability: transfer a victim’s funds to an actor-controlled account. PixStealer’s “slim” presentation is a reference to the variant’s ability to operate without connection to a command and control (C&C) server, fostering ability to go undetected. CPR ultimately found PixStealer being distributed on Google’s Play Store as a fake PagBank Cashback service, targeting only the Brazilian PagBank.