Posted on September 30, 2021 at 10:50 AM

Hackers Launch Two Apps that Steal Data from Banking Applications

Researchers have detected two new malicious Android applications that are available on Google Play Store. The malicious applications are being used to target users in Brazil who are registered in the country’s instant payment platform.

The reports have stated that this malicious application is being used to lure victims into transferring money from their bank accounts and sending it into a bank account linked to the cybercriminals. This leaves investors with major losses.

Used Different Variants of the Malware

The report further stated that the hackers had employed different types of malware in the bid to defraud users.

An analysis conducted by Check Point stated that “The attackers distributed two different variants of banking malware, named PixStealer and MalRhino, through two separate malicious applications to carry out their attacks.”

“Both malicious applications were designed to steal the money of victims through user interaction and the original PIX application,” the report added. Since the malware was detected, the two applications have been removed from the app store.

Pix Payments Platform

Brazil’s Pix Payments Platform was created in November 2020. It was created by the Central Bank of Brazil, the country’s regulatory body that monitors the monetary system and regulates financial institutions.

Due to being created and regulated by the Brazil Central Bank, Pix functions as a state-owned payments platform that allows individuals and companies to transfer money out of their bank accounts without the hectic process of using debit cards and credit cards. Because of the convenience offered by this platform, it has become highly popular with people in Brazil.

However, the popularity of this platform has also attracted some threat actors who are looking for a way to defraud the rising number of people who are using the platform, especially with the occurrences of the Covid-19 pandemic that has made digital payments more popular.

When the PixStealer malware was first detected, it was being distributed on the Play Store as a fake PagBank Cashback service application. The malware was created to allow the hackers to gain access to the victim’s bank account and steal funds from the account by gaining full control over it.

The other tool used by these hackers is the MalRhino. This tool disguises itself as a mobile token application that has been created by Brazil’s Inter-bank. The tool comes with a wide range of advanced features that give it access to the victim’s device. This way, the app can gain access to details regarding the installed apps on the device. Furthermore, it can also retrieve the PIN details for various banks.

The researchers further stated that “When a user opens their PIX bank application, Pixstealer show the victim an overlay window, where the user can’t see the attacker’s moves. Behind the overlay window, the attacker retrieves the available amount of money and transfers the money, often the entire account balance, to another account.”

Both PixStealer and MalRhino have been linked to having the same features because they both abuse the accessibility feature available on Android devices. This allows the device to compromise the device by conducting various malicious actions.

However, these are not the only two applications that disguise themselves as a genuine platform only for them to steal data from user devices. Mobile malware has become very common, and threat actors have devised ways that they can use to penetrate devices stealthily while avoiding detection by the users.

When the device has been installed, it fakes an overlay process that will hijack the phone’s entire operations, and the phone’s screen is filled with the message, “Synchronizing your access… Do not turn off your mobile screen.” However, while this is happening, the application will be operating in the background and looking for a transfer feature that will allow transactions to happen using accessibility APIs.

Out of the two malware, the MalRhino has picked interest because it uses the Rhino JS framework on Mozilla. This allows the malware to execute JavaScript commands on the banking applications on the device. However, it will only run these commands if the user has provided accessibility services to the device.

The researcher further stated that the technique is not common on mobile devices. However, it showed that threat actors are exploring innovative ways to avoid detection while infiltrating the Google Play Store.

“With the increasing abuse of the Accessibility Service by mobile banking malware, users should be wary of enabling the relevant permissions even in the applications distributed via known app stores such as Google Play,” the research added.