Cybersecurity researchers have discovered six new Android malware families with the ability to steal data from compromised devices and commit financial fraud.
Android malware ranges from traditional banking Trojans such as PixRevolution, TaxiSpy RAT, BeatBanker, Mirax, and Oblivion RAT to full-fledged remote administration tools such as SUXRAT.
According to Zimperium, PixRevolution targets Brazil’s Pix instant payment platform, hijacking victims’ money transfers in real time and directing them to threat actors instead of the intended recipients.
Security researcher Azim Jaswant said: “This new malware operates covertly within the device until the moment the victim initiates the Pix transfer.” “What differentiates this threat from traditional banking Trojans is its fundamental design: a human or AI agent operator is actively involved at the remote end, instantly observing the victim’s phone screen and ready to act at the precise moment of the transaction.”
Android malware propagates through fake Google Play Store app listing pages for apps like Expedia, Sicredi, and Correios, tricking users into installing malicious dropper APK files. Once installed, the app prompts the user to enable accessibility services to achieve its goal.
It also connects to an external server over TCP on port 9000, sends periodic heartbeat messages with device information, and activates real-time screen capture using Android’s MediaProjection API. However, PixRevolution’s main feature is to monitor the victim’s screen and provide a fake overlay as soon as the victim enters the desired amount and the recipient’s Pix key to initiate the payment.
At this point, the trojan displays a fake WebView overlay that says “Aguarde…” (Portuguese/Spanish for “wait”), while in the background it edits the Pix key to the attacker’s key to complete the funds transfer. In the final stage, the overlay is removed and the victim is presented with a “transfer complete” confirmation screen in the Pix app.
“From the victim’s perspective, nothing out of the ordinary happened,” Jaswant said. “The app temporarily displayed a loading indicator. This is a common occurrence during regular banking operations. Your transfer was confirmed successfully. The amount you were trying to transfer has been debited from your account.”
“Victims don’t realize their money was sent to the wrong account until much later, sometimes much later. And because Pix transfers are immediate and final, recovery is extremely difficult.”
Users in Brazil have also been targeted by another Android-based malware campaign called BeatBanker, which is primarily spread through phishing attacks through websites masquerading as the Google Play Store. BeatBanker’s name comes from its use of an unusual persistence mechanism: it plays a barely audible audio file, a five-second recording featuring Chinese words, on a loop and prevents it from ending.
In addition to incorporating runtime checks for an emulated or analytical environment, the malware also monitors battery temperature and percentages and checks if the user is using the device to start or stop the Monero miner as needed. Use Google’s Firebase Cloud Messaging (FCM) for command and control (C2).
“To achieve its goal, the malicious APK incorporates multiple components, including a cryptocurrency miner and a banking Trojan that can completely hijack the device and disguise its screen,” Kaspersky said. “When a user attempts to make a USDT transaction, BeatBanker creates an overlay page of Binance and Trust Wallet and secretly replaces the destination address with the threat actor’s forwarding address.”
This banking module monitors URLs visited by victims from web browsers such as Chrome, Edge, Firefox, Brave, Opera, DuckDuckGo, Dolphin Browser, and sBrowser. Additionally, it also supports the ability to receive a long list of commands from the server to collect personal information and take complete control of your device.
Recent campaigns have been found to drop the BTMOB RAT instead of the banking module. This gives operators comprehensive remote control, persistent access, and monitoring of compromised devices. BTMOB is assessed to be an evolution of the CraxsRAT, CypherRAT, and SpySolr families, all of which are associated with the Syrian threat actor operating under the online alias EVLF.
“We have also confirmed the distribution and sale of leaked BTMOB source code on some dark web forums,” the Russian security vendor said. “This may suggest that the creators of BeatBanker obtained BTMOB from the original creator or leaker and utilized it as the final payload.”
Similar to PixRevolution, TaxiSpy RAT targets Russian banking, cryptocurrency, and government apps by abusing Android’s accessibility services and MediaProjection API to collect SMS messages, contacts, call logs, clipboard contents, list of installed apps, notifications, lock screen PINs, and keystrokes, as well as providing an overlay for credential theft.
This malware combines the functionality of traditional banking Trojans with full RAT functionality, allowing attackers to collect sensitive data and execute commands sent via Firebase push messages. Several TaxiSpy samples have been discovered by both CYFIRMA and Zimperium, demonstrating active efforts on the part of attackers to evade signature-based detection and blacklist protection.
“The malware utilizes advanced evasion techniques, including native library encryption, rolling XOR string obfuscation, and real-time VNC-like remote control over WebSockets,” CYFIRMA said. “Its design enables comprehensive device monitoring, including monitoring of SMS, call logs, contacts, notifications and banking apps, emphasizing economic incentives and region-specific focus.”
Another notable Android banking Trojan is Mirax. It is advertised as a private malware-as-a-service (MaaS) service by a threat actor named Mirax Bot, with a monthly fee of $2,500 for the full version and $1,750 for the light version. Mirax claims to provide a banking overlay, information collection (keystrokes, SMS, lock patterns, etc.), and a SOCKS5 proxy to route malicious traffic through a compromised device.
Mirax isn’t the only Android MaaS service discovered in recent months. A new Android remote access Trojan called Oblivion sells for about $300 a month (or $1,900 a year, or $2,200 for lifetime access) and claims to bypass detection and security features in devices from major manufacturers.
Once installed, the malware employs an automatic permission granting mechanism that requires no interaction from the victim. According to the seller, this approach works with MIUI/HyperOS (Xiaomi), One UI (Samsung), ColorOS (OPPO), MagicOS (Honor), and OxygenOS (OnePlus).
“What sets it apart is not a single feature, but a combination of automated privilege bypass, hidden remote control, deep persistence, and a point-and-click builder that puts it all within reach of even would-be hackers with minimal technical skills,” Certos said.
“Google has made progressive restrictions on exploits of accessibility services a priority across successive Android versions. The latest releases have tools to reliably circumvent these protections, and they’re doing so across devices from Samsung, Xiaomi, OPPO and more, representing a real challenge to platform-level defenses.”
Also commercially distributed through the Telegram-based MaaS ecosystem is an Android malware family called SUXRAT, which is said to be an improved version of Arsink. The malware exploits accessibility permissions for persistent control and communicates with Firebase-based C2 infrastructure to extort infected devices. The malware is being sold on Telegram channels controlled by Indonesian attackers.
Notable in some of the new samples is the presence of large-scale language model (LLM) components, indicating that the attackers behind the malware are experimenting with artificial intelligence (AI) capabilities in addition to traditional monitoring. However, the download of the LLM module is only triggered when a specific game application is active on the victim’s device or when an alternate target package name is dynamically received from the server.
Free Fire MAX × Jujutsu Kaisen (com.dts.freefiremax) Free Fire × Jujutsu Kaisen (com.dts.freefireth)
Some SUXRAT samples also include a ransomware-style screen locker module that allows a remote operator to take control of a victim’s device and deny access by displaying a full-screen lock message until payment is made.
“This evolution highlights how the existing Android RAT framework continues to be reused and extended by threat actors, accelerating malware development cycles and enabling rapid deployment of new monitoring and control capabilities,” Cyble said. “Observed experiments with large-scale AI model integration further demonstrate that adversaries are actively exploring new technologies to increase operational efficiency and evade detection.”
Source link
