A new Android-based banking Trojan is targeting mobile payments in Brazil and hijacking them on the way to their destination.
Dubbed “PixRevolution,” the Trojan relies on the widespread use of Pix, a mobile instant payment system implemented by the Central Bank of Brazil in 2020; more than three quarters of the Brazilian population use it. Researchers from mobile security vendor Zimperium’s zLabs team identified a novel banking Trojan “specifically targeting this system and implicitly targeting most Brazilian financial institutions,” malware analyst Aazim Yaswant wrote in a blog post.
Banking Trojans are unfortunately notorious in South America’s largest country; one known as Maverick emerged in 2024 that self-terminates if the victim is located outside Brazil. As for why these attacks are so prevalent, that’s a more complicated answer that comes down to the high use of mobile payments in the country, as well as other complexities in the Latin American security landscape.
That said, it’s worth noting that mobile attacks are an attractive target globally, and have only become increasingly so in recent years.
Kern Smith, VP of global solutions engineering at Zimperium, tells Dark Reading that Brazil is an appealing target to attackers because it has one of the most advanced mobile banking ecosystems in the world.
“Large numbers of users rely on mobile apps for everyday banking and payments, creating a high-value attack surface,” he says. “Many regional cybercrime groups have also specialized in banking malware for years and have adapted those techniques to mobile devices as financial activity shifted to smartphones.”
The PixRevolution Difference: AI Agents and Precise Timing Windows
What makes PixRevolution stand out compared to other mobile malware is that the malware sits stealthily on the device until the victim initiates a Pix payment. When they do, a human or AI agent attacker actively observes and acts at the moment of transaction, diverting the payment to a criminal entity instead.
Initial access involves trickery and social engineering, as expected. The threat actors behind the campaign made fake Google Play Store pages hosted on their own domains and posing as trusted brands like Expedia or local services such as the post office. They are “perfect replicas,” Yaswant wrote; when someone who stumbles on such a page attempts to download an app from the official Play Store, they instead download a malicious Android package kit (APK) file.
That APK file registers a new Android accessibility option called “Enable Revolution,” but this is not a legitimate feature. Rather, when launching the app, the malware tells the user to activate the accessibility feature for application functionality (and not data collection) reasons. But when they do that, the Trojan completely takes over the device. It has access to taps, swipes, all on-screen text, and all audio that reaches the microphone.
The Trojan also establishes a command-and-control (C2) server through port 9000 and gives the operator access to real-time screen capture with little delay. This gives the threat actor full visibility into what the device sees, enabling them to hijack a bank transfer the moment it happens. Furthermore, the malware has access to a list of more than 80 Portuguese words referring to bank transfers and financial transactions that it checks against every time new text appears on the screen.
Finally, in the moment when the victim attempts to send a payment, the attacker puts up an HTML overlay telling them to please wait (Aguarde…) while the hijack takes place behind the scenes. The final step in the attack takes mere seconds from the victim’s point of view.
How to Defend Against PixRevolution
Yaswant said PixRevolution marks an evolution in mobile financial fraud, combining real-time operators and traditional malware into a novel, precise attack.
“This malware family sidesteps the traditional arms race between automated Trojans and banking app defenses. It does not need to reverse-engineer each bank’s UI,” the analyst said. “It does not need to maintain a list of target applications. It does not need to guess when a transaction is happening. It simply watches and then acts.”
Smith tells Dark Reading that in order to combat malware like PixRevolution, organizations “need to recognize that many of these attacks now originate on the mobile device itself.”
“When malware compromises the device, attackers can intercept authentication codes or manipulate legitimate banking sessions while appearing to be the real user,” he says. “Financial institutions should incorporate mobile threat visibility into their fraud detection and authentication workflows to identify compromised devices before fraudulent transactions occur.”
