This sneaky Android malware has an all-new way to avoid being detected

How do you run an app with no icon?

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Cybersecurity researchers have found a new version of a well-known Android banking trojanmalwarewhich sports quite a creative method of hiding in plain sight.

PixPirate targets mostly Brazilian consumers with accounts on the Pix instant payment platform, which allegedly counts more than 140 million customers, and services transactions north of $250 billion.

The campaign’s goal was to divert the cash to attacker-owned accounts. Usually, banking trojans on Android would try to hide by changing their app icons and names. Often, the trojans would assume the “settings” icon, or something similar, tricking the victims into looking elsewhere, or simply into being too afraid to remove the app from their device. PixPirate, on the other hand, gets rid of all of that by not having an icon in the first place.

Running the malware

The big caveat here is that without the icon, the victims cannot launch the trojan, so that crucial part of the equation is left to the attackers.

The campaign consists of two apps - the dropper, and the “droppee”. The dropper is being distributed on third-party stores, shady websites, and via social media channels, and is designed to deliver the final payload - droppee - and to run it (after asking for Accessibility and other permissions).

Droppee, which is PixPirate’s filename, exports a service to which other apps can connect to. The dropper connects to that service, allowing it to run the trojan. Even after removing the dropper, the malware can still run on its own, on certain triggers (for example, on boot, on network change, or on other system events).

The entire process, from harvesting user credentials, to initiating money transfer, is automated, and done in the background without the victim’s knowledge or consent. The only thing standing in the way, the researchers claim, are Accessibility Service permissions.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

It is also worth mentioning that this method only works on older versions of Android, up to Pie (9).

ViaBleepingComputer

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

A new form of macOS malware is being used by devious North Korean hackers

Scammers are using fake copyright infringement claims to hack businesses

Quordle today – hints and answers for Saturday, November 9 (game #1020)