A shocking new report claims that the latest malware targeting Android devices hides dangerous apps from view, meaning users cannot tell they’re under attack until it’s too late…
“Malicious software always aims to stay hidden,” an alarming new report into Android malware warns this week, “making itself invisible so the victims can’t detect it.” And while this type of attack was more common before Google enhanced restrictions with Android 10, this latest threat has found “a new technique to hide its icon that we have never seen financial malware use before.”
And so it begins. Here’s the latest attack vector targeting Android devices—including premium thousand-dollar-plus handsets from Samsung, Google and others, which are now going head-to-head with Apple’s iPhone, marketing their devices as secure alternatives.
This particular malware, dubbed PixPirate and first spotted by Cleafy earlier this year, has now been further analyzed by IBM’s research team. Their report details the devious tactics that ensure that “the victim remains oblivious to the malicious operations that this malware performs in the background.”
It’s dubbed PixPirate because this first attack targets the hugely popular Pix payment platform—with some 140 million users—in Brazil, a market where Samsung is by far the leading brand. But, again, there is no reason the attack can’t be modified to target other platforms in other countries.
The malware monitors user activity with online banking in mind, finding opportunities to steal login credentials for various accounts and even intercepting SMS two-factor authentication codes. “PixPirate is a sophisticated financial remote access trojan,” IBM explains, “that heavily utilizes anti-research techniques.” This includes a dropper that both installs the core malware and then launches it, negating the need for it to appear in the device’s own launcher.
IBM’s report lists out the various actions this combination of “dropper and droppee” can carry out on an infected device. It’s both an impressive list and a wake-up call as to just how dangerous this type of malware can be, at the sheer extent of compromises that can be executed in the background.
- Manipulating and controlling other applications
- Keylogging
- Collecting a list of apps installed on the device
- Installing and removing apps from the infected device
- Locking and unlocking device screen
- Accessing registered phone accounts
- Accessing contact list and ongoing calls
- Pinpointing device location
- Anti-virtual machine (VM) and anti-debug capabilities
- Persistence after reboot
- Spreading through WhatsApp
- Reading, editing and deleting SMS messages
- Anti-removal and disabling Google Play Protect
Google has said that none of this malware is currently present on its official Play Store, which is why Apple has warned so publicly that Europe forcing it to open up to third-party stores “brings greater risks to users and developers. This includes new avenues for malware, fraud and scams, illicit and harmful content, and other privacy and security threats. These changes also compromise Apple’s ability to detect, prevent, and take action against malicious apps on iOS and to support users impacted by issues with apps downloaded outside of the App Store.”
This last point is critical, because taken in tandem with the new techniques that are effective up to Android 14 and beyond, this warning will concern owners of Samsung’s premium devices as well as Google’s own Pixel devices, which are assumed to offer better levels of protection than more cost-effective Android handsets, and especially those operating outside the Play ecosystem.
As with so many such attacks, it starts with a link shared by SMS or WhatsApp, essentially using social engineering to trick users into agreeing the install. This brings the dropper onto the device, which then downloads, installs and launches the core malware APK itself.
As ever more of our online credentials become synonymous with our personal smartphones, the benefit of broadly taking control of so many device functions, is that the malware will trick the various identify assurance checks that take place, coming as it does from the trusted device.
Details on how to delete malicious apps can be found here.
As regards PixPirate specifically, there’s no suggestion yet that this attack has been exported more widely, and so you can prevent infections by just following the usual golden rules:
- Stick to official app stores—don’t use third-party stores and never change your device’s security settings to enable an app to load.
- Check the developer in the app’s description—is it someone you’d like inside your life? And check the reviews, do they look legitimate or farmed?
- Do not grant permissions to an app that it should not need: torches and star-gazing apps don’t need access to your contacts and phone. And never grant accessibility permissions that facilitate device control unless you have a need.
- Never ever click links in emails or messages that directly download apps or updates—always use app stores for installs and updates.
- Do not install apps that link to established apps like WhatsApp unless you know for a fact they’re legitimate—check reviews and online write-ups.
But where there’s one, there’s usually more. And so running security software to scan your device and deleting any such third-party installs, especially where you clicked a link from a text, is good advice.
In response to this research, a Google spokesperson told me that “based on our current detections, no apps containing this malware are found on Google Play. Android users are automatically protected against known versions of this malware by Google Play Protect, which is on by default on Android devices with Google Play Services. Google Play Protect can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Play.”
Google also assured me that Play Protect would keep users safe from this latest malware when enabled, despite the report suggesting that might not be the case.
While this latest attack clearly targets any variety of Android device, Samsung is the only real challenger to Apple’s iPhone when it comes to the premium market, with those increased expectations for security and device integrity.
Between them, Samsung and (mostly) Apple fill all ten slots in the most recent global smartphone sales charts, and will go head-to-head with device AI later this year, with Samsung echoing some of Apple on-device focus. But Samsung’s biggest challenge is Google and the limitations that Android places on its ability to operate with autonomy. This type of security warning perfectly reflects that.
That said, Google is continuing to bring Android ever closer to iPhone as regards the level of security and safety built into the OS. But so long as these kinds of reports regularly surface, there will be a view that Android is intrinsically less safe than iPhone, which for those dropping one-to-two thousand dollars on a phone is a major risk. There remains some serious work to be done…
