A new variant of a popular Android banking trojan has been discovered by cybersecurity researchers, and it uses some ingenious techniques to evade detection.

The Pix quick payment platform, which PixPirate claims to serve over 140 million users and transactions worth more than $250 billion, is primarily aimed at Brazilian consumers.

The plan all along was to transfer the funds to accounts controlled by the attackers. Android banking trojans typically alter their app names and icons to blend in. In order to deceive their victims into looking in the wrong places or into being too scared to uninstall the software, trojans would frequently pretend to be the “settings” icon. But since PixPirate does not have an icon to begin with, all of it becomes irrelevant.

Launching the malicious program

The major catch is that victims can not activate the trojan without the icon, therefore the onus is on the attackers to provide that vital component.

The dropper and the “droppee” are the two applications that make up the campaign. The dropper, which is being disseminated through dubious online marketplaces, social media platforms, and third-party vendors, is programmed to carry out the final payload, droppee, and execute it (after requests for Accessibility and other rights).

A service can be exported by PixPirate and used by other programs; the filename is Droppee. The trojan is executed by the dropper after it establishes a connection to that service. Some triggers (such as boot, network change, or other system events) can still cause the malware to execute independently, even after the dropper is removed.

Everything is carried out automatically, in the background, without the victim’s awareness or permission, from gathering user credentials to starting the money transfer. The researchers assert that authorization from the Accessibility Service are the sole obstacle.

Note that this approach is incompatible with newer versions of Android, specifically those that come after Pie (9).