PixPirate Conceals Itself as Fakext Targets Financial Institutions

The PixPirate Android banking trojan has recently adopted a novel strategy to avoid detection and carry out its malicious activities undetected on targeted devices, particularly in Brazil, according to a recent technical report by IBM.

This new technique involves concealing the trojan’s icon from the device’s home screen, ensuring that victims remain unaware of the malicious operations occurring in the background.

First identified by Cleafy in February 2023, PixPirate is notorious for exploiting Android’s accessibility services to execute unauthorized fund transfers via the PIX instant payment platform whenever a user accesses a targeted banking application. Moreover, this constantly evolving malware is adept at stealing users’ online banking credentials, credit card details, intercepting SMS messages, and capturing keystrokes, including two-factor authentication codes.

The distribution of PixPirate typically occurs through SMS and WhatsApp, utilizing a dropper app to deploy the main payload. In the case of PixPirate, the downloader not only installs the main payload but also actively participates in executing malicious activities by communicating with the main payload and sending commands.

In the latest iteration of PixPirate, significant changes have been observed, particularly the absence of activity associated with launching the application from the home screen. This modification in the infection chain underscores the symbiotic relationship between the downloader and the main payload, with the former initiating the execution of PixPirate, which then conceals its presence even if the downloader is removed from the device.

Meanwhile, in Latin America, particularly in Mexico, financial institutions are facing a new threat in the form of the Fakext malware. This malware employs a rogue Microsoft Edge extension named SATiD to carry out man-in-the-browser attacks, aiming to steal credentials entered on targeted banking sites. Fakext often masquerades as legitimate IT support, urging victims to download a remote access tool, ultimately facilitating financial fraud.


The campaign, operational since at least November 2023, has targeted 14 banks in the region, prompting swift action to remove the malicious extension from the Edge Add-ons store. As such, financial institutions and users alike must remain vigilant against evolving threats and employ robust security measures to mitigate the risk of financial fraud and data theft.