Cybersecurity researchers have recently discovered a new wave of Android malware that is designed to steal money and sensitive financial information from smartphone users. These malicious programs mainly target banking applications, cryptocurrency wallets, and digital payment platforms. The attackers use different techniques to secretly monitor activity on infected devices. Their main goal is to intercept financial transactions and redirect the money to accounts controlled by cybercriminals.
Researchers identified six Android malware families involved in these campaigns. The threats are named PixRevolution, TaxiSpy RAT, BeatBanker, Mirax, Oblivion RAT, and SURXRAT. Each of these malware families is designed to collect financial data or gain remote control of infected smartphones. Some of them behave like banking trojans, while others function as remote access tools. This combination allows attackers to monitor devices and manipulate financial apps.
One of the most notable threats in this campaign is PixRevolution. This malware specifically targets Pix, an instant payment system that is widely used in Brazil for quick money transfers. Because Pix transactions happen instantly, criminals see it as an attractive platform to exploit. PixRevolution waits until a user attempts to make a Pix payment. At that moment, it secretly manipulates the transaction so the money is redirected to the attacker.
Researchers say the malware is especially dangerous because it can operate in real time. After infecting a device, it can monitor the victim’s screen activity and track actions performed on financial apps. In some cases, attackers can observe the device remotely while the user is making a payment. This allows them to interfere with transactions at the exact moment they happen. As a result, the fraudulent transfer occurs without raising immediate suspicion.
The infection usually begins through malicious Android applications. Attackers create fake websites or download pages that look similar to legitimate platforms. These pages promote popular services or apps in order to trick users into installing a malicious APK file. Once the app is installed, it asks for important permissions on the device. Many of these requests involve Android’s Accessibility Services, which provide deep control over the phone.
After the permissions are granted, the malware connects to a command-and-control server operated by the attackers. The infected phone sends information about the device and maintains communication with this server. Some variants also activate screen capture features that allow attackers to see what is happening on the device. This helps criminals monitor financial activity and prepare for potential transactions. The attackers can then remotely guide or automate fraudulent actions.
When the victim tries to send money using the Pix payment system, the malware activates a fake screen overlay. This overlay may display a message telling the user to wait while the transaction is processing. While the victim sees this message, the malware secretly replaces the original payment key with the attacker’s payment address. The transaction then continues normally from the user’s perspective. However, the money is actually transferred to the attacker.
Security experts warn that mobile malware attacks are increasing as more people rely on smartphones for banking and digital payments. Modern Android malware is designed to run silently in the background and avoid detection. It can monitor financial apps, steal login information, and manipulate transactions directly from the device. Experts recommend installing apps only from trusted sources and carefully reviewing permission requests. Keeping devices updated and using mobile security tools can also reduce the risk of infection.
Stay alert, and keep your security measures updated!
Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news
