PixPirate¶
PixPirate is a Brazilian banking trojan built to exploit Pix, Brazil's instant payment platform used by over 100 million accounts. First documented by Cleafy in February 2023, the malware performs Automated Transfer System (ATS) fraud through accessibility services, initiating Pix transfers from the victim's banking app without user interaction. PixPirate introduced a novel stealth technique: the main payload has no launcher icon and no main activity, making it invisible in the app drawer. This is the first financial malware family observed using this method, which bypasses Android 10+ restrictions that previously stopped malware from hiding its icon.
Overview¶
| Attribute | Details |
|---|---|
| First Seen | Late 2022 |
| Status | Active |
| Type | Banking trojan, ATS fraud |
| Attribution | Unknown, Brazilian-origin operation |
| Aliases | PixPirate |
Origin and Lineage¶
PixPirate was discovered by Cleafy's Threat Intelligence and Response (TIR) team between late 2022 and early 2023. It belongs to the generation of Android banking trojans that leverage ATS for on-device fraud, joining families like Anatsa, SharkBot, and Xenomorph in automating the entire transaction flow through accessibility services.
PixPirate is distinct in its specialization. Rather than targeting a broad set of banking apps across multiple countries, it focuses exclusively on Pix, the real-time payment system operated by Brazil's Central Bank. Pix processes transactions instantly and irreversibly, making it an ideal target for automated fraud: once a transfer completes, the money is gone. The malware was built ground-up for this purpose, with JavaScript modules tailored to each targeted bank's Pix transfer interface.
IBM Security Trusteer researchers later published extended analysis covering the dropper-payload architecture and the innovative icon-hiding technique.
Distribution¶
PixPirate uses a two-component distribution model: a separate dropper app and a payload app.
Dropper (Downloader)¶
| Attribute | Details |
|---|---|
| Distribution | Smishing campaigns, WhatsApp spam from infected devices |
| Store presence | Not on Google Play |
| Function | Downloads or unpacks the payload APK, requests accessibility permissions |
| Persistence | Can be uninstalled without affecting the payload |
Payload (Droppee)¶
| Attribute | Details |
|---|---|
| Distribution | Installed by the dropper |
| Store presence | Not on Google Play |
| Launcher icon | None, completely invisible in app drawer |
| Main activity | No android.intent.action.MAIN / android.intent.category.LAUNCHER |
| Activation | Triggered via exported service that the dropper binds to |
The payload intentionally lacks a launcher activity. On Android 10+, apps without a launcher activity do not display an icon in the app drawer, but this previously caused them to be non-functional since there was no way to launch them. PixPirate solved this by exporting a service that the dropper connects to, allowing the dropper to trigger the payload without a launcher entry.
Even if the user uninstalls the dropper, the payload persists and can activate based on device events such as boot completion, connectivity changes, or other broadcast receivers.
WhatsApp Propagation¶
In later campaigns, IBM documented PixPirate spreading via WhatsApp. The payload uses accessibility capabilities to:
- Read the victim's WhatsApp contact list
- Send phishing messages with the dropper download link to contacts
- Propagate automatically without operator intervention
This adds a worm-like dimension similar to FluBot's SMS propagation, but using WhatsApp as the channel instead of SMS.
Capabilities¶
Core Functions¶
| Capability | Description |
|---|---|
| ATS fraud via Pix | Automates Pix transfers using accessibility services to interact with banking app UI |
| Credential theft | Steals banking passwords by recognizing UI elements of targeted banks via accessibility |
| SMS interception | Reads, intercepts, and deletes SMS messages (OTP theft, evidence removal) |
| Notification interception | Monitors and suppresses notifications from banking apps |
| Contact list access | Reads contacts for WhatsApp-based propagation |
| WhatsApp worm | Sends phishing messages to contacts via WhatsApp |
| Uninstall prevention | Uses accessibility to disrupt settings navigation when user attempts removal |
| Keylogging | Records keystrokes on targeted apps |
| Screen recording | Captures screen content for operator review |
| Remote control | RAT functionality for manual operator intervention |
ATS Fraud Detail¶
PixPirate's ATS implementation is bank-specific. The malware includes JavaScript modules with functions tailored to each targeted bank's Pix transfer UI:
Victim opens banking app
→ Accessibility service detects target bank's activity
→ PixPirate identifies UI elements (password field, transfer buttons, amount fields)
→ Injects credentials if needed (from prior theft)
→ Navigates to Pix transfer flow
→ Fills recipient details (mule account controlled by operators)
→ Sets transfer amount
→ Confirms transaction
→ Clears notification evidence
Each bank has a dedicated function because Pix transfer UIs differ between banking apps. The malware recognizes specific view hierarchies, button labels, and field identifiers per bank.
Technical Details¶
Architecture¶
Dropper APK (visible, has launcher icon)
→ Downloads/unpacks Payload APK
→ Requests Accessibility Service permission via persistent pop-ups
→ Binds to Payload's exported service to trigger activation
→ Can be safely uninstalled by user (payload survives)
Payload APK (invisible, no launcher icon)
→ No android.intent.action.MAIN
→ No android.intent.category.LAUNCHER
→ Exports a Service for dropper binding
→ Registers BroadcastReceivers for:
- BOOT_COMPLETED
- CONNECTIVITY_CHANGE
- PACKAGE_REPLACED
→ Persists independently of dropper
Icon Hiding Technique¶
Prior to PixPirate, Android malware hid launcher icons by calling setComponentEnabledSetting() to disable the launcher activity after installation. Android 10 blocked this approach. PixPirate bypasses the restriction entirely by never declaring a launcher activity in the first place. The manifest contains no activity with MAIN + LAUNCHER intent filters, so the system never creates an icon. Activation is handled through the exported service and broadcast receivers.
C2 Communication¶
| Parameter | Details |
|---|---|
| Protocol | HTTP |
| Data format | JSON |
| TLS | Certificate pinning to prevent MITM inspection |
| Commands | Transfer instructions, mule account details, target bank configurations, module updates |
Cleafy noted the use of certificate pinning on C2 communications, which prevents traffic interception even on devices with user-installed CA certificates. The C2 delivers configuration updates including new bank-specific JavaScript modules and mule account rotation.
Anti-Analysis¶
| Technique | Description |
|---|---|
| Code obfuscation | Heavy obfuscation with garbage functions requiring multiple deobfuscation passes |
| String encryption | Encrypted strings decrypted at runtime |
| No launcher icon | Invisible to standard device inspection |
| Certificate pinning | Prevents C2 traffic interception |
| Anti-emulator | Checks for emulator artifacts |
| Anti-debugging | Detects debugging tools |
Accessibility Abuse¶
PixPirate requests accessibility permissions through persistent fake pop-ups that reappear until the victim grants access. Once enabled, the accessibility service provides:
- Real-time monitoring of foreground activities (for trigger detection)
- UI element inspection (for ATS automation)
- Click and gesture injection (for performing transfers)
- Notification access (for OTP interception and suppression)
- Keylogging (for credential capture)
Target Regions¶
| Region | Status | Notes |
|---|---|---|
| Brazil | Primary target | All known bank-specific modules target Brazilian financial institutions via Pix |
| India | Expanding | IBM documented WhatsApp-based campaigns targeting Indian users |
| Italy | Early stage | IBM identified initial campaigns |
| Mexico | Early stage | IBM identified initial campaigns |
The expansion beyond Brazil is significant. While Pix is Brazil-specific, the malware's ATS capabilities and WhatsApp propagation mechanism are adaptable to other instant payment platforms and banking apps.
Notable Campaigns¶
2022, Late: PixPirate first observed in the wild targeting Brazilian banking users. Distributed via smishing campaigns directing victims to download a fake authenticator app.
2023, February: Cleafy publishes initial analysis documenting PixPirate's ATS capabilities against Pix, its accessibility abuse, and its dropper-based distribution. The report details the bank-specific JavaScript modules and C2 architecture.
2024, February: IBM Security Trusteer publishes detailed analysis of the novel icon-hiding technique, documenting how the payload operates without a launcher activity and persists independently of the dropper. BleepingComputer, The Hacker News, and Dark Reading publish coverage highlighting this as the first financial malware to use the no-launcher-activity approach.
2024-2025: IBM documents PixPirate's expansion via WhatsApp. The malware begins targeting users in India, Italy, and Mexico, using WhatsApp spam from infected devices to spread the dropper. The WhatsApp propagation mechanism gives the campaign worm-like characteristics similar to FluBot's SMS spreading.