PixStealer¶
Minimalist banking trojan targeting Brazil's Pix instant payment system. Discovered by Check Point on Google Play in April 2021, PixStealer was notable for its "less is more" approach: it used no C2 communication, requested minimal permissions, and performed a single function. It used Accessibility Services to detect when the victim opened a banking app, retrieved the available balance, and initiated an automated Pix transfer of the entire account to an attacker-controlled account.
Overview¶
| Property | Value |
|---|---|
| First Seen | April 2021 |
| Type | Banking trojan (Pix payment system) |
| Attribution | Unknown (Brazilian targeting) |
| Aliases | Check Point designation; companion variant: MalRhino |
Distribution¶
Google Play, disguised as a fake "PagBank Cashback" service app. Removed in 2021 after discovery.
Capabilities¶
| Capability | Implementation |
|---|---|
| Accessibility abuse | Detected banking app launch, navigated UI |
| Balance theft | Retrieved available balance from banking app |
| Automated Pix transfer | Initiated transfer of entire account balance to attacker |
| No C2 | Zero network communication after installation |
| Overlay | Displayed overlay while covertly interacting with banking app |
Significance¶
PixStealer's no-C2 design made it extremely difficult to detect through network analysis. By avoiding C2 communication and data exfiltration, it evaded most behavioral detection systems. The MalRhino companion variant was more sophisticated, targeting multiple Brazilian banks with broader capabilities.
Related Families¶
| Family | Relationship |
|---|---|
| MalRhino | Companion variant discovered alongside PixStealer, more sophisticated, multiple bank targets |
| PixPirate | Later, unrelated Pix-targeting family (2022+) with invisible app drawer technique |