Android Malware Target Pix Payments, Banking Apps, and Crypto Wallets

[Myleschetty]

New Malware called BeatBanker was detected. It was said to target  Pix payments, banking apps, and crypto wallets using a multi-layered distribution strategy built on impersonation and trust, while it also has a banking module that monitors the following browsers installed on the victim’s Android device.

Chrome
Firefox
sBrowser
Brave
Opera
DuckDuckGo
Dolphin Browser
Edge

Attackers were said to create fake Google Play Store hosted using the domains they control. The Google Play Store pages are perfect replicas of legitimate Play Store listings, with complete apps, descriptions, ratings, and the “Install” button. The difference is that instead of directing users to the real Play Store, the button downloads a malicious APK.
Note: If you get this response or APK download when trying to install an app using Google Play Store, it's the BeatBanker. Although the attacker was said to currently focus on Brazil, that doesn't mean they won't shift attack location as we speak.


The BeatBanker malware allows attackers to watch the victim's screen in real time and navigate it. They see the victim type in a recipient's PIX key and similar details.

When the user tries to make a transaction, BeatBanker creates overlay pages for Binance, Trust Wallet, etc, covertly replacing the destination address with its own wallet address.


Source

[Charles-Tim]

I do not login on my browser, so anytime I want to download an app through the Playstore, I will be required to login but I do not prefer to login because copy/paste the app on the Playstore app to search for the app to download it is faster than to first try to login first on the browser while I have already login on the Playstore app.

I did not know this could have been helping. I will continue to download directly from the Playstore app directly. Also I can be taken from the browser to Playstore where I login to download the app.

I know that there can be fake apps also on the legit Playstore.

[r_victory]

If people aren't paying attention, they can easily fall for scams like this. In the image showing the supposedly legitimate app, the word "refund" is misspelled. It might not mean anything to many, but to me it's already a sign of haste or carelessness, which would make me question the app's legitimacy. It's quite convenient that it's an INSS (Brazilian National Social Security Institute) app mentioning refunds, especially during a delicate time when the agency is facing the scandal of billions being diverted from retirees' accounts; it's very difficult not to fall for it. Luckily, it's already been discovered.

[AVE5]

Of all times I've been using Android mobile phones, I've never downloaded the google play by myself because it's already modified and installed in the device.
Maybe it should be some certain lower model or brands of the android which doesn't come with the pre-installed Apk that would require the need of the users to manually download it themselves. I'm just trying to say that users who doesn't have to download this malware apk in their device can be free from the threat.

When the user tries to make a transaction, BeatBanker creates overlay pages for Binance, Trust Wallet, etc, covertly replacing the destination address with its own wallet address.

This is a very technical scheme that after pasting the required wallet address, the scammers having access to monitor your device screen can just change the address at their end while transaction is still on process. Definitely users who aren't careful enough would always fall victims to this trick.
Thanks for sharing Op.

[rdluffy]

I was very curious about the title mentioning PIX, since this payment method is from Brazil

From what I could understand, the app is installed by a supposed application from Brazil's National Social Security Institute (INSS)
What makes me sad and apprehensive is that those who seek out this government agency are usually elderly people or people who are away from work, retired, etc

There is a good chance that it will affect a large number of people, and if they are elderly, it is even worse
A person without much information may download this apk and install it without realizing what they are doing

[PrivacyG]

You know what.  I have heard of at least five separate attacks or vulnerabilities only in the past two months.  At this point these attacks are so often and demanded that you should all just give up Android Cryptocurrency holding or limit it to as much as a meal in the center of your city.  It is clearly not worth the constant attention we need to put constantly on finding out which other attack has been launched.

There are Hardware Wallets that work together with your phone.  Use these.  Put more effort in keeping your Bitcoin Secure.

[DYING_S0UL]

Correct me if I'm wrong, but this malware is being distributed through visiting the phishing site (pretending to be related to playstore) through a browser, then downloading and installing the said INSS apk file, right? I have read the source you have provided but still I'm confused about the initial distribution process. Would anyone mind clearing that?

Things are getting really hard man. Every day, new vulnerabilities are being discovered and exploited, and these hackers are finding new ways to drain users. This just tells us one thing, "Android" is never meant to keep big amount of coins, no matter how convenient that may seem.

[BitMaxz]

That's why I don't use the browser to download any apps anywhere, even in a legit site, with my phone because there are lots of possibilities that we don't know since we are not seeing them on the backend, and possibly some sites also have some script like silent auto-download and install.
If we need to keep our wallet away from these attacks, I better have an extra phone for browsing and another one for wallets that I only use for signing transactions.

Day by day it seems we are always seeing new viruses and malware. We should always be careful of any site we access. For me, I usually access the Play Store app rather than accessing them on their site. I always use VirusTotal to scan the file and website first to at least filter out any suspicious files and scripts from the site.