Brief summary
This blog post is a continuation of a prior blog post about the PixPirate malware. If you haven’t gone through the initial post yet, we suggest you do so before delving into this additional material. Just a reminder, PixPirate malware is made up of two parts: a downloader application and a droppee application, both of which are tailor-made and operated by the same group of swindlers. While the traditional function of a downloader is to install the droppee on the victim’s device, with PixPirate, the downloader also manages the droppee. Without this operation by the PixPirate downloader, the droppee, i.e., the malware itself, would never initiate. Moreover, the PixPirate downloader can issue commands to the droppee for execution and plays an active role in the activities and operations of the droppee.
Essentially, the PixPirate downloader masquerades as a legitimate authentication application that assists users in securing their bank accounts.
Figure 1: PixPirate downloader icons.
The PixPirate downloader is not available on the Google Play Store, but it spreads through Smishing campaigns or a spam message on WhatsApp from an infected user. In such scenarios, the victim is deceived into downloading and setting up the downloader application. While running, the downloader notifies the target victim about an updated version of the application and requests authorization to install other untrusted applications, as a means to install the corresponding PixPirate droppee.
The fresh PixPirate campaign
In recent months, the Trusteer research lab observed and identified a new wave of PixPirate campaign in Brazil, directly targeting Brazilian banks. At present, PixPirate predominantly focuses on the Pix payment services linked with numerous Brazilian banking applications.
During the ongoing PixPirate campaign, Trusteer observed a high concentration of infections in Brazil (nearly 70% of all infections), along with an outreach that extended to other global markets including India and recently Italy and Mexico. Beyond Brazil, India stands as the second most impacted country by PixPirate, accounting for almost 20% of total global infections. Although no Indian banks are explicitly targeted by PixPirate, the Trusteer research lab assumes that the developers of the malicious software are preparing for future campaigns in India. One possible reason for the spread of infections in India is the extensive usage of India’s United Payments Interface (UPI) instant payment service, which is utilized by millions of consumers in India as the nation’s primary payment platform, overseen by the Reserve Bank of India (RBI).
PixPirate droppee effortless installation
The recently identified PixPirate campaign introduces a new edition of the downloader, which incorporates a hyperlink to a YouTube video that educates and illustrates to the prospective victim how to inadvertently install the droppee Android package kit (APK) and grant all essential permissions and functionalities for the complete execution on the victim’s device. The YouTube video emulates a genuine tutorial video guiding the user on installing a legitimate financial service app, and currently, it has amassed over 78,000 views, indicating some extent of the infection’s spread, under the assumption that each YouTube viewer has followed through with the installation of the PixPirate malware without their knowledge.
In the video, a user initiates the downloader application for the first time, which mimics a legitimate financial services app. The PixPirate downloader then requests the user to install an updated version of itself. Post-installation, the victim unknowingly installs a new malicious application instead of merely updating the downloader. This fresh application – the droppee application – essentially houses the PixPirate malware. The PixPirate malware remains concealed from the user by omitting an icon on the home screen of the infected device.
As elucidated in the prior write-up on PixPirate, maintaining invisibility from the user offers numerous advantages to the PixPirate malware, such as increasing the likelihood of a prolonged infection period with the capability to engage in financial deceit. However, this also poses a challenge – without an icon, the victim can’t manually “activate” or start the malware, so who is responsible? This is where the PixPirate downloader returns to the forefront as the entity accountable for executing the malware. The earlier Trusteer blog depicted the innovative manner in which the PixPirate downloader operated the droppee, but in this present campaign, Trusteer has uncovered a novel approach adopted by the downloader for executing the malware, as delineated in the ensuing section.
New execution method for PixPirate droppee
The preceding Trusteer blog post evaluated the technique employed by the PixPirate droppee to conceal its icon and subsequently, the unique method utilized by the downloader to operate the droppee. In the latest PixPirate campaign, the downloader employs a fresh approach for launching the droppee.
In this new approach, the downloader maintains the role of executing the invisible droppee. The droppee preserves the manifest activity with an intent filter bearing one of these exclusive action names:
- “com.ticket.stage.Service”
- “com.ticket.action.Service”
- “com.sell.allday.Service”
When the PixPirate downloader intends to execute the corresponding droppee, its initial step is to identify the droppee activity corresponding to this specific unique action along with the package name of the droppee. To achieve this, the downloader employs the API “queryIntentActivities(android.content.Intent, int)” using an intent with the desired action name as an argument. This function retrieves a compilation of all activities that retain an intent filter for the provided intent. It supplies a list of “ResolveInfo” objects containing an entry for each matching activity.
Displayed below is the function accountable for producing a list of all intents for all activities of packages that encompass one of the aforementioned action names of the PixPirate droppee. The PixPirate downloader commences with a for loop over a list of activity action names associated with the PixPirate droppee utilizing a call to the “queryIntentActivities” API. This API delivers a list of “ResolveInfo” objects comprising all activities with one of the droppee action names. For each returned “ResolveInfo” object, it generates an intent with the corresponding activity name and package name, storing it in an array. This array is then returned by the function.
Figure 3: PixPirate downloader function responsible for obtaining droppee launching activity.
In the subsequent function, within the for loop, there is a call to the function “get_potential_droppee_packagenames” which provides a roster of all intents for all activities of packages that encompass one of the droppee action names. Subsequently, it verifies whether the package name linked to the yielded intent is indeed the droppee package. If validated, it appends other pertinent and requisite data to the intent.and utilizes the “startActivity(android.content.Intent)” API to commence the corresponding droppee activity and execute the action of running the droppee.
Figure 4: PixPirate downloader function for the execution of PixPirate droppee.
WhatsApp: Main player in PixPirate malware distribution strategy
As a segment of the installation process of PixPirate downloader on a device, the downloader verifies the presence of the WhatsApp instant messaging application. Within its “assets” directory, the downloader houses the “WhatsApp” APK. Therefore, if the WhatsApp app is absent on the victim’s device, the malware coerces the victim into installing it.
Figure 5: Downloader assets.
The visual above displays the contents of the “assets” folder in the downloader APK, where “wsv2.jpeg” represents the WhatsApp APK. Other files present are diverse versions of the droppee APKs.
Owing to the size of the WhatsApp APK, the downloader exhibits a size of nearly 100MB. In contrast, the WhatsApp APK’s size is notably larger compared to other prevalent finance malware downloaders, which typically feature petite code segments and limited functionality as their primary objective is solely to download and install the droppees (without executing them).
The PixPirate Droppee leverages the WhatsApp app for disseminating malicious phishing messages via a victim’s WhatsApp account to propagate itself and infect additional devices. The malware possesses the capability to peruse the victim’s contact list, add contacts, and subsequently dispatch WhatsApp messages to the victim’s contacts or even WhatsApp groups to extend the spread and infect more individuals.
The enhanced functionalities and features associated with the WhatsApp app encompass:
- Dispatching messages
- Erasing messages
- Forming groups and sending messages
- Viewing and erasing the user contact list
- Appending and adjusting the user contact list
- Blocking and unblocking other WhatsApp user accounts
During the transmission of WhatsApp messages, the PixPirate malware employs an overlay mechanism to cloak the device screen, ensuring the victim remains unaware of the malware’s utilization of the WhatsApp application.
Figure 6: PixPirate new contamination approach.
It is crucial to acknowledge that transmitting WhatsApp phishing messages proves highly effective for attackers in spreading and infecting other victims, primarily for a couple of reasons:
- WhatsApp messages exude greater credibility and trustworthiness than SMS messages. Smishing is a recognized technique utilized by fraudsters and attackers to propagate spam and malicious content, and users are generally cautious of such malicious threats. Nevertheless, this caution and awareness are not as prominent with WhatsApp messages.
- In contrast to smishing assaults, where the sender typically remains anonymous to the recipient, raising suspicions, messages conveyed via WhatsApp are commonly attributed to a known contact. This imparts a false sense of security to the recipient, believing the message to be authentic.
Deploying WhatsApp facilitates the advancement of PixPirate infections and paves the way for spreading the malware to additional victims and devices, irrespective of whether they are intended targets.
Dispatching a WhatsApp message
In the image below, the PixPirate function responsible for dispensing WhatsApp messages from the victim’s account is distinctly visible. Notably, the function accepts three parameters:
- Contact list – a compilation of contacts for transmitting the malicious WhatsApp message
- messagesArr – an array of messages designated for dispatch
- sleepTime – the duration to pause between each message dispatch
Subsequently, the malware extracts the phone number from the victim’s contact list and forms an intent uniquely, featuring the data field encompassing the key for dispatching a WhatsApp message to the targeted phone number with the specific text to be transmitted. Within the message bundle, PixPirate designates the package name of the WhatsApp application as “com.whatsapp”, subsequently instigating the message dispatch action by initiating the activity through the intent formulated.
Figure 7: Malware initiating a WhatsApp message.
In the subsequent image, subsequent to constructing the message to be dispatched via PixPirate, the malware pinpoints the “send” button and exploits the Accessibility service of the device to activate it, akin to a human user, to dispatch the WhatsApp message to the intended recipients.
Figure 8: Malware dispatching WhatsApp message function.
Recap
PixPirate represents a perilous Remote Access Tool (RAT) malware campaign initially detected in late 2021, which has resurfaced through a fresh campaign infecting primarily in Brazil and India, with incipient campaigns emerging in Italy and Mexico. The threats and malicious undertakings of PixPirate stem from the malware’s distinct accessibility capabilities, spanning from being a RAT and possessing remote-control abilities for executing automatic fraud, data theft, disseminating through WhatsApp messages, concealing and thwarting removal, intercepting SMS, recording user activities, and more. The malware additionally encompasses anti-virtual machine (anti-vm) and obfuscation features.
This latest version of the PixPirate malware incorporates a novel concealment technique to obfuscate its presence on the device, concealing its icon on the home screen.
In the early stages of the malware’s evolution, PixPirate predominantly targeted Pix payment services and Brazilian banks solely within Brazil. However, the current PixPirate iteration and campaign identified by Trusteer Lab has proliferated to other global regions, emphasizing a distinct focus on India. While Trusteer has yet to identify any Indian targets, it is presumed that this signifies merely the inception of this meticulously managed malware, possibly surpassing its nomenclature in the future.
IOCs
Downloader SHA256: 1196c9f7102224eb1334cef1b0b1eab070adb3826b714c5ebc932b0e19bffc55
Droppee SHA256: d723248b05b8719d5df686663c47d5789c323d04cd74b7d4629a1a1895e8f69a