Six Android Malware Families Target Pix Payments, Banking Apps, and Crypto Wallets

Published:

12 maart 2026 om 07:56:00

Alert date:

12 maart 2026 om 09:01:21

Source:

thehackernews.com

Mobile & IoT, Ransomware & Malware

Cybersecurity researchers have discovered six new Android malware families designed to steal data and conduct financial fraud. The malware families include PixRevolution, TaxiSpy RAT, BeatBanker, Mirax, Oblivion RAT, and SURXRAT. These threats range from traditional banking trojans to full-fledged remote administration tools. The malware specifically targets Pix payments, banking applications, and cryptocurrency wallets. PixRevolution and other variants pose significant threats to mobile financial security.

Technical details

Six Android malware families discovered: PixRevolution (targets Brazil's Pix payment platform with real-time payment hijacking using human/AI agent operators), TaxiSpy RAT (targets Russian banking apps with VNC-like remote control via WebSocket), BeatBanker (uses inaudible audio loop persistence mechanism, includes cryptocurrency miner and banking trojan), Mirax (MaaS offering with banking overlays and SOCKS5 proxy), Oblivion RAT (automated permission-granting mechanism bypassing security on major manufacturers), and SURXRAT (incorporates LLM module and ransomware-style screen locker). Malware spreads via fake Google Play Store pages, abuses accessibility services and MediaProjection API, connects to external servers on TCP port 9000, uses Firebase Cloud Messaging for C2, monitors web browsers, and employs various evasion techniques including native library encryption and rolling XOR string obfuscation.

Mitigation steps:

Avoid downloading apps from unofficial sources or fake Google Play Store pages. Be cautious when granting accessibility service permissions to apps. Monitor for unusual network connections on TCP port 9000. Watch for apps requesting excessive permissions. Be alert during financial transactions for unusual loading screens or delays. Verify app authenticity before installation. Monitor for unauthorized cryptocurrency mining activity. Check battery temperature and usage patterns for anomalies. Implement mobile device management solutions to detect and prevent malicious app installations.

Affected products:

Android devices
Brazil's Pix instant payment platform
Expedia app
Sicredi app
Correios app
Binance
Trust Wallet
Chrome browser
Edge browser
Firefox browser
Brave browser
Opera browser
DuckDuckGo browser
Dolphin Browser
sBrowser
MIUI/HyperOS (Xiaomi)
One UI (Samsung)
ColorOS (OPPO)
MagicOS (Honor)
OxygenOS (OnePlus)
Free Fire MAX x JUJUTSU KAISEN (com.dts.freefiremax)
Free Fire x JUJUTSU KAISEN (com.dts.freefireth)
Russian banking apps
Russian cryptocurrency apps
Russian government apps

Related CVE's:

Related threat actors:

EVLF

Mirax Bot

Indonesian threat actor

IOC's:

TCP port 9000 connections, Firebase Cloud Messaging C2 infrastructure, WebSocket connections for VNC-like remote control, 5-second Chinese audio file loop, Fake Google Play Store app listing pages, Package names: com.dts.freefiremax, com.dts.freefireth, Fake overlay with 'Aguarde...' text, LLM module downloads from Hugging Face, Monero miner components

This article was created with the assistance of AI technology by Perceptive.