Close Menu
    What's Hot

    Waymo says San Francisco service has resumed after one-hour pause

    Vitality Blast Final: Northamptonshire beat Hampshire to win third title after see-saw clash at Edgbaston | Cricket News

    Why Jordan Is Becoming a New Focus in the U.S.-Iran War

    Facebook X (Twitter) Instagram
    Trending
    • Waymo says San Francisco service has resumed after one-hour pause
    • Vitality Blast Final: Northamptonshire beat Hampshire to win third title after see-saw clash at Edgbaston | Cricket News
    • Why Jordan Is Becoming a New Focus in the U.S.-Iran War
    • Palestinian teenage footballer dies a week after Israeli settler attack | Occupied West Bank News
    • Madison Square Garden Sues Wired Magazine Over L.G.B.T.Q. Tracking Report
    • Quanta Services: Buy The Bottleneck Between AI And Energized Power (NYSE:PWR)
    • A material in Spanish World Cup star Pedri’s cleats could also repair your colon
    • Cindy Burbank, Nebraska’s Democratic Senate Nominee, Files to Withdraw From Race
    interluknewsinterluknews
    • Home
    • Business
      • Corporate News
      • Industry Insights
      • Startups & Entrepreneurship
      • Technology & Innovation
    • Economy
      • Economic Policy
      • Financial Analysis
      • Inflation & Interest Rates
      • Trade & Markets
    • Global
      • Conflicts & Security
      • Diplomacy
      • Global Trends
      • International Affairs
    • Lifestyle
      • Fashion
      • Food & Dining
      • Personal Development
      • Travel
    • Opinion
      • Columns
      • Editorials
      • Expert Opinions
      • Reader Voices
    • More
      • Politics
        • Elections
        • Government & Policy
        • International Relations
        • Political Analysis
      • Sports
        • Cricket
        • Football / Soccer
        • International Sports
        • Local Sports
      • Technology
        • Artificial Intelligence
        • Cybersecurity
        • Gadgets & Reviews
        • Tech News
      • South Africa News
    Facebook X (Twitter) Instagram
    interluknewsinterluknews
    Cybersecurity

    Six Android Malware Families Target Pix Payments, Banking Apps, and Crypto Wallets

    adminBy adminMarch 13, 2026No Comments7 Mins Read
    Share Facebook Twitter Pinterest Copy Link Telegram LinkedIn Tumblr Email
    Six Android Malware Families Target Pix Payments, Banking Apps, and Crypto Wallets
    Share
    Facebook Twitter LinkedIn Pinterest Email

    Six Android Malware Families Target Pix Payments, Banking Apps, and Crypto Wallets

    Cybersecurity researchers have discovered half-a-dozen new Android malware families that come with capabilities to steal data from compromised devices and conduct financial fraud.

    The Android malware range from traditional banking trojans like PixRevolution, TaxiSpy RAT, BeatBanker, Mirax, and Oblivion RAT to full-fledged remote administration tools such as SURXRAT.

    PixRevolution, according to Zimperium, targets Brazil’s Pix instant payment platform, hijacking victims’ money transfers in real-time to route them to the threat actors instead of the intended payee.

    “This new strain of malware operates stealthily within the device until the moment the victim initiates a Pix transfer,” security researcher Aazim Yaswant said. “What distinguishes this threat from conventional banking trojans is its fundamental design: a human or AI agent operator is actively engaged on the remote end, observing the victim’s phone screen instantaneously, poised to act at the precise moment of transaction.”

    The Android malware propagates via fake Google Play Store app listing pages for apps like Expedia, Sicredi, and Correios to trick users into installing the malicious dropper APK files. Once installed, the apps urge users to enable accessibility services to realize their goals.

    Cybersecurity

    It also connects to an external server over TCP on port 9000 to send periodic heartbeat messages containing device information and activate real-time screen capture using Android’s MediaProjection API. The main functionality of PixRevolution, though, is the monitoring of the victim’s screen and serving a fake overlay as soon as a victim enters the desired amount and the Pix key of the recipient to initiate the payment.

    At that point, the trojan shows a fake WebView overlay that says “Aguarde…” (meaning “wait” in Portuguese/Spanish), while, in the background, it edits the Pix key with that of the attacker’s to complete the funds transfer. In the final stage, the overlay is removed, and the victim is displayed a “transfer complete” confirmation screen in the Pix app.

    “From the victim’s perspective, nothing unusual happened,” Yaswant said. “The app briefly showed a loading indicator, something that occurs routinely during legitimate banking operations. The transfer was confirmed successfully. The amount they intended to send was deducted from their account.”

    “It is only later, sometimes much later, that the victim discovers the money went to the wrong account. And because Pix transfers are instant and final, recovery is extraordinarily difficult.”

    Brazilian users have also become the target of another Android‑based malware campaign called BeatBanker, which spreads primarily through phishing attacks via a website disguised as the Google Play Store. BeatBanker gets its name from the use of an unusual persistence mechanism that involves playing an almost inaudible audio file, a 5-second recording featuring Chinese words, on a loop to prevent it from being terminated.

    Besides incorporating runtime checks for emulated or analysis environments, the malware monitors battery temperature and percentage, and verifies whether the user is using the device to start or stop the Monero miner as required. It uses Google’s Firebase Cloud Messaging (FCM) for command‑and‑control (C2).

    “To achieve their goals, the malicious APKs carry multiple components, including a cryptocurrency miner and a banking trojan capable of completely hijacking the device and spoofing screens, among other things,” Kaspersky said. “When the user tries to make a USDT transaction, BeatBanker creates overlay pages for Binance and Trust Wallet, covertly replacing the destination address with the threat actor’s transfer address.”

    The banking module also monitors web browsers like Chrome, Edge, Firefox, Brave, Opera, DuckDuckGo, Dolphin Browser, and sBrowser to URLs accessed by the victim. In addition, it supports the ability to receive a long list of commands from the server to collect personal information and gain complete control of the device.

    Recent iterations of the campaign have been found to drop BTMOB RAT instead of the banking module. It provides operators with comprehensive remote control, persistent access, and surveillance over compromised devices. BTMOB is assessed to be an evolution of CraxsRAT, CypherRAT, and SpySolr families, all of which have been linked to a Syrian threat actor who goes by the online alias EVLF.

    “We also saw the distribution and sale of leaked BTMOB source code on some dark web forums,” the Russian security vendor said. “This may suggest that the creator of BeatBanker acquired BTMOB from its original author or the source of the leak and is utilizing it as the final payload.”

    TaxiSpy RAT, similar to PixRevolution, abuses Android’s accessibility service and MediaProjection APIs to collect SMS messages, contacts, call logs, clipboard contents, installed apps list, notifications, lock screen PINs, and keystrokes, as well as target Russian banking, cryptocurrency, and government apps by serving overlays to conduct credential theft.

    The malware combines traditional banking trojan functionality with full RAT capabilities, enabling threat actors to gather sensitive data and execute commands sent via Firebase push messages. Several TaxiSpy samples have been discovered by both CYFIRMA and Zimperium, indicating active efforts on the part of attackers to evade signature-based detection and blacklist defenses.

    “The malware leverages advanced evasion techniques, such as native library encryption, rolling XOR string obfuscation, and real-time VNC-like remote control via WebSocket,” CYFIRMA said. “Its design allows comprehensive device surveillance, including SMS, call logs, contacts, notifications, and banking app monitoring, highlighting its financially motivated and region-specific focus.”

    Another Android banking trojan of note is Mirax, which has been advertised by a threat actor named Mirax Bot as a private malware-as-a-service (MaaS) offering for a monthly price of $2,500 for a full version or $1,750 for a light variant. Mirax claims to offer banking overlays, information gathering (e.g., keystrokes, SMS, lock patterns), and a SOCKS5 proxy to route malicious traffic through compromised devices.

    Mirax is not the only Android MaaS offering detected in recent months. A new Android remote access trojan called Oblivion is being sold for around $300 per month (or $1,900 per year and $2,200 for lifetime access) and claims to bypass detection and security features on devices from major manufacturers.

    Once installed, the malware employs an automated permission-granting mechanism that requires no interaction from the victim. This approach, per the seller, works across MIUI / HyperOS (Xiaomi), One UI (Samsung), ColorOS (OPPO), MagicOS (Honor), and OxygenOS (OnePlus).

    “What sets it apart isn’t any single feature. It’s the combination: automated permission bypass, hidden remote control, deep persistence, and a point-and-click builder that puts all of it within reach of would-be hackers with even the most minimal level of technical skill,” Certos said.

    “Google has made progressive restrictions on accessibility service abuse a priority across successive Android versions. A tool that credibly bypasses those protections on the latest release – and does so across devices from Samsung, Xiaomi, OPPO, and others – represents a genuine challenge to platform-level defenses.”

    Cybersecurity

    Also commercially distributed through a Telegram-based MaaS ecosystem is an Android malware family called SURXRAT, which is assessed to be an improved version of Arsink. The malware abuses accessibility permissions for persistent control and communicates with a Firebase-based C2 infrastructure to commandeer infected devices. The malware is marketed on a Telegram channel managed by an Indonesian threat actor.

    What’s notable about some of the new samples is the presence of a large language model (LLM) component, indicating that the threat actors behind the malware are experimenting with artificial intelligence (AI) capabilities, along with traditional surveillance. That said, the download of the LLM module is triggered only when specific gaming applications are active on the victim’s device, or when it receives alternative target package names dynamically from the server –

    • Free Fire MAX x JUJUTSU KAISEN (com.dts.freefiremax)
    • Free Fire x JUJUTSU KAISEN (com.dts.freefireth)

    Select SURXRAT samples also incorporate a ransomware-style screen locker module that makes it possible for a remote operator to hijack control of a victim’s device and deny access by displaying a full-screen lock message until a payment is made.

    “This evolution highlights how existing Android RAT frameworks continue to be repurposed and expanded by threat actors, accelerating malware development cycles and enabling rapid introduction of new surveillance and control functionalities,” Cyble said. “The observed experimentation with large AI model integration further indicates that threat actors are actively exploring emerging technologies to enhance operational effectiveness and evade detection.”

    Android apps banking Crypto Families Malware payments Pix Target wallets
    Follow on Google News Follow on Flipboard
    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email Copy Link
    Previous ArticlePODCAST | The Lead: Mmusi Maimane on the DA’s ‘toxic’ politics and why the N2 wall won’t work
    Next Article The original AirTag is the cheapest it’s ever been
    admin
    • Website

    Related Posts

    Ukraine’s Top General Becomes a Target of Protesters’ Anger

    July 18, 2026

    New GoSerpent Malware Targets Southeast Asian Governments and Diplomats for Espionage

    July 18, 2026

    ACR Stealer Uses ClickFix Lures to Steal Browser Tokens and Microsoft 365 Files

    July 18, 2026
    Leave A Reply Cancel Reply

    Demo
    Latest Posts

    Waymo says San Francisco service has resumed after one-hour pause

    Vitality Blast Final: Northamptonshire beat Hampshire to win third title after see-saw clash at Edgbaston | Cricket News

    Why Jordan Is Becoming a New Focus in the U.S.-Iran War

    Palestinian teenage footballer dies a week after Israeli settler attack | Occupied West Bank News

    Latest Posts

    Subscribe to News

    Get the latest sports news from NewsSite about world, sports and politics.

    Advertisement
    Demo

    We are a digital news platform delivering timely, accurate, and insightful coverage of politics, global affairs, business, economy, sports, and more. Our mission is to keep readers informed with reliable news, clear analysis, and stories that truly matter.
    We're social. Connect with us:

    Facebook X (Twitter) Instagram Pinterest YouTube

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    Type above and press Enter to search. Press Esc to cancel.

    Powered by
    ...
    ►
    Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
    None
    ►
    Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
    None
    ►
    Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
    None
    ►
    Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
    None
    ►
    Unclassified cookies are cookies that we are in the process of classifying, together with the providers of individual cookies.
    None
    Powered by