Six Android Malware Families Target Pix Payments, Banking Apps, and Crypto Wallets

Researchers in cybersecurity have found six new types of Android malware that can steal data from infected devices and commit fraud with money This article explores money android malware. . The Android malware includes traditional banking trojans like PixRevolution, TaxiSpy RAT, BeatBanker, Mirax, and Oblivion RAT, as well as full-fledged remote administration tools like SURXRAT.

PixRevolution, according to Zimperium, targets Brazil's Pix instant payment platform, hijacking victims' money transfers in real-time to route them to the threat actors instead of the intended payee. Aazim Yaswant, a security researcher, said, "This new type of malware works quietly on the device until the victim starts a Pix transfer."

"What sets this threat apart from other banking trojans is its basic design: a human or AI agent operator is actively involved on the other end, watching the victim's phone screen in real time and ready to act at the exact moment of the transaction." Fake Google Play Store app listing pages for apps like Expedia, Sicredi, and Correios are how the Android malware spreads. These pages trick users into installing the harmful dropper APK files.

Recent versions of the campaign have been found to drop BTMOB RAT instead of the banking module. It gives operators full remote control, constant access, and the ability to watch over hacked devices.

BTMOB is thought to be an evolution of the CraxsRAT, CypherRAT, and SpySolr families. All of these families are linked to a Syrian hacker who goes by the name EVLF online. "We also saw leaked BTMOB source code being sold and shared on some dark web forums," the Russian security company said.

"This could mean that the person who made BeatBanker got BTMOB from the person who made it or the person who leaked it and is using it as the final payload."" TaxiSpy RAT, like PixRevolution, uses Android's accessibility service and MediaProjection APIs to steal SMS messages, contacts, call logs, clipboard contents, installed apps list, notifications, lock screen PINs, and keystrokes. It also targets Russian banking, cryptocurrency, and government apps by serving overlays to steal credentials.

However, the LLM module only downloads when certain gaming apps are running on the victim's device or when the server sends it new target package names on the fly, such as Free Fire MAX x JUJUTSU KAISEN (com.dts.freefiremax) or Free Fire x JUJUTSU KAISEN (com.dts.freefireth). Some SURXRAT samples also include a screen locker module that works like ransomware. This lets a remote operator take control of a victim's device and block access by showing a full-screen lock message until payment is made.

"Cyble said, "This evolution shows how threat actors keep using and expanding existing Android RAT frameworks, which speeds up the development of malware and makes it possible to quickly add new surveillance and control features."

"The observed experimentation with large AI model integration further indicates that threat actors are actively exploring emerging technologies to enhance operational effectiveness and evade detection."