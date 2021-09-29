The consulting division of cybersecurity company Israeli Check Point discovered a new type of coup involving the Pix , The system of instant payment captained by central bank . As part of a study that scanned multiple countries, the consultancy identified a malicious application ( malware ) named from PixStealer .

Operating system oriented Android, PixStealer was being distributed on Google Play Store as a false name of “PayBank Cashback”.

Upon installing it, when the user opened their banking application to access Pix, the malware would show the victim an overlay window, making the user unable to see the criminal’s movements. Thus, the scammer identified the amount of money available and transferred it, using Pix, to another account.

The study was done in April and currently this app is no longer available on the app store. There is no information on how many people may have fallen for this scam.

Fernando de Falchi, Check Point Brazil’s security engineering manager, says that PixStealer is very simple and straightforward. Its purpose is not to capture customer information, but to transfer the balance immediately. He says the scam is not the result of a Pix failure, but of increasingly smart criminals, who managed to bypass the Google Play Store security – which is not easy – and take advantage of people’s inattention. “Cashback is so fashionable that people end up following it.”

He points out that criminals use “oranges” data and transfer resources to accounts on digital banks, which often, with the high turnover of accounts, later it is not possible to track where the money ended up. Another problem is that even those who have antivirus on their cell phone would hardly be able to stop the malware, as the user consciously downloaded the app from the app store and gave it all permissions.

“Request Accessibility Permission [para deficientes visuais] it’s not normal behavior. Only those who really need it should release this permission, because that gives the criminal an opening”, he warns.

Scam with fake iToken for Inter bank

One second malware Discovered by Check Point is not directly related to Pix, but it also affected digital banking users.

baptized of MalRhino, he pretended to be a fake iToken to Inter bank and it was also distributed through the Google Play Store. The program displayed a message to the victim trying to convince them to grant accessibility permission.

Once granted, it could collect data from the actual application and send the list to a command and control (C&C) server, providing the ability to go unnoticed.



“We live in an age when cybercriminals don’t need to break into a bank to steal money. All a cybercriminal needs to do is understand the platforms banks use and their pitfalls. There is a growing trend that cybercriminals are stalking institutional banking applications,” says Lotem Finkelsteen, Head of Threat Intelligence at Check Point.

Cybersecurity in Brazil is advanced, says expert

Despite these new discovered scams, Falchi says the cybersecurity of the Brazilian banking system is quite advanced compared to other countries. “Bank applications are secure. There’s nothing perfect, because that doesn’t exist in technology, but banks have made huge investments in cybersecurity.”

When contacted, Inter stated that its Token has been integrated into the application since 2019, and it is not necessary to use other apps or solutions to validate operations. “In addition to investing in frequent fraud prevention campaigns, Inter advises customers who use only the institution’s official application.”