Android Malware Target Pix Payments, Banking Apps, and Crypto Wallets

[Myleschetty]

New Malware called BeatBanker was detected. It was said to target  Pix payments, banking apps, and crypto wallets using a multi-layered distribution strategy built on impersonation and trust, while it also has a banking module that monitors the following browsers installed on the victim’s Android device.

Chrome
Firefox
sBrowser
Brave
Opera
DuckDuckGo
Dolphin Browser
Edge

Attackers were said to create fake Google Play Store hosted using the domains they control. The Google Play Store pages are perfect replicas of legitimate Play Store listings, with complete apps, descriptions, ratings, and the “Install” button. The difference is that instead of directing users to the real Play Store, the button downloads a malicious APK.
Note: If you get this response or APK download when trying to install an app using Google Play Store, it's the BeatBanker. Although the attacker was said to currently focus on Brazil, that doesn't mean they won't shift attack location as we speak.


The BeatBanker malware allows attackers to watch the victim's screen in real time and navigate it. They see the victim type in a recipient's PIX key and similar details.

When the user tries to make a transaction, BeatBanker creates overlay pages for Binance, Trust Wallet, etc, covertly replacing the destination address with its own wallet address.


Source

[Charles-Tim]

I do not login on my browser, so anytime I want to download an app through the Playstore, I will be required to login but I do not prefer to login because copy/paste the app on the Playstore app to search for the app to download it is faster than to first try to login first on the browser while I have already login on the Playstore app.

I did not know this could have been helping. I will continue to download directly from the Playstore app directly. Also I can be taken from the browser to Playstore where I login to download the app.

I know that there can be fake apps also on the legit Playstore.

[r_victory]

If people aren't paying attention, they can easily fall for scams like this. In the image showing the supposedly legitimate app, the word "refund" is misspelled. It might not mean anything to many, but to me it's already a sign of haste or carelessness, which would make me question the app's legitimacy. It's quite convenient that it's an INSS (Brazilian National Social Security Institute) app mentioning refunds, especially during a delicate time when the agency is facing the scandal of billions being diverted from retirees' accounts; it's very difficult not to fall for it. Luckily, it's already been discovered.

[AVE5]

Of all times I've been using Android mobile phones, I've never downloaded the google play by myself because it's already modified and installed in the device.
Maybe it should be some certain lower model or brands of the android which doesn't come with the pre-installed Apk that would require the need of the users to manually download it themselves. I'm just trying to say that users who doesn't have to download this malware apk in their device can be free from the threat.

When the user tries to make a transaction, BeatBanker creates overlay pages for Binance, Trust Wallet, etc, covertly replacing the destination address with its own wallet address.

This is a very technical scheme that after pasting the required wallet address, the scammers having access to monitor your device screen can just change the address at their end while transaction is still on process. Definitely users who aren't careful enough would always fall victims to this trick.
Thanks for sharing Op.

[rdluffy]

I was very curious about the title mentioning PIX, since this payment method is from Brazil

From what I could understand, the app is installed by a supposed application from Brazil's National Social Security Institute (INSS)
What makes me sad and apprehensive is that those who seek out this government agency are usually elderly people or people who are away from work, retired, etc

There is a good chance that it will affect a large number of people, and if they are elderly, it is even worse
A person without much information may download this apk and install it without realizing what they are doing

[PrivacyG]

You know what.  I have heard of at least five separate attacks or vulnerabilities only in the past two months.  At this point these attacks are so often and demanded that you should all just give up Android Cryptocurrency holding or limit it to as much as a meal in the center of your city.  It is clearly not worth the constant attention we need to put constantly on finding out which other attack has been launched.

There are Hardware Wallets that work together with your phone.  Use these.  Put more effort in keeping your Bitcoin Secure.

[DYING_S0UL]

Correct me if I'm wrong, but this malware is being distributed through visiting the phishing site (pretending to be related to playstore) through a browser, then downloading and installing the said INSS apk file, right? I have read the source you have provided but still I'm confused about the initial distribution process. Would anyone mind clearing that?

Things are getting really hard man. Every day, new vulnerabilities are being discovered and exploited, and these hackers are finding new ways to drain users. This just tells us one thing, "Android" is never meant to keep big amount of coins, no matter how convenient that may seem.

[BitMaxz]

That's why I don't use the browser to download any apps anywhere, even in a legit site, with my phone because there are lots of possibilities that we don't know since we are not seeing them on the backend, and possibly some sites also have some script like silent auto-download and install.
If we need to keep our wallet away from these attacks, I better have an extra phone for browsing and another one for wallets that I only use for signing transactions.

Day by day it seems we are always seeing new viruses and malware. We should always be careful of any site we access. For me, I usually access the Play Store app rather than accessing them on their site. I always use VirusTotal to scan the file and website first to at least filter out any suspicious files and scripts from the site.

[promise444c5]

I thought we all agreed  phone was never a good option to hold your Bitcoin. Even with that, the recent vulnerabilities target by malware doesn’t just target your seeds only they target a lot related to financial data.

I think we can come to conclusion  on not relying  too much on our mobile devices anymore. Consider limiting too much access of these stuffs from your mobile devices and at the same time be watchful of what you download, verify 3x if needed before hitting the download or install button .

It’s still avoidable as long you don’t download malware applications so the main watch should be on downloads..

[Awaklara]

I will not install applications from browser searches. Not just applications, we also need to be more careful when visiting websites through searches in our device's browser. Scammers make their website addresses look the same as the real ones.
Besides, our devices usually automatically give a warning for applications downloaded from outside. When that happens, it should already make us more cautious.

[Moreno233]

I use Android phone that comes with Google Playstore where I search and download any app I want without going to any website to search for the app. I don't know how I can be exposed such risks with what I explained because from the OP,  the attack is only possible when a person wants to download app from browser. Whatever be the case, I'll still ve careful of downloading anything from the web when I receive such prompts. 

[Forsyth Jones]

If people aren't paying attention, they can easily fall for scams like this. In the image showing the supposedly legitimate app, the word "refund" is misspelled. It might not mean anything to many, but to me it's already a sign of haste or carelessness, which would make me question the app's legitimacy. It's quite convenient that it's an INSS (Brazilian National Social Security Institute) app mentioning refunds, especially during a delicate time when the agency is facing the scandal of billions being diverted from retirees' accounts; it's very difficult not to fall for it. Luckily, it's already been discovered.

These malware that overlay screens to capture sensitive information are becoming common and that's frightening. Those of us who are at least minimally informed are not easily victimized, but our parents or grandparents, who have little contact with technology are.

Correct me if I'm wrong, but this malware is being distributed through visiting the phishing site (pretending to be related to playstore) through a browser, then downloading and installing the said INSS apk file, right? I have read the source you have provided but still I'm confused about the initial distribution process. Would anyone mind clearing that?

Same here, perhaps this should be the most important part of the news that is missing... but my guess is that they are spread via SMS. It's very common to receive malicious links there, banners, and malicious video ads in apps, malicious apps that download these malware apps in the background...

That's how my grams got adware or malware that made her phone screen burst with strange pop-up ads, who knows what else it was doing, like mining crypto like XMR and stealing credentials...

My guess is that she kept clicking on malicious ads on social media, malicious links on google or some malicious app.

[suzanne5223]

Of all times I've been using Android mobile phones, I've never downloaded the google play by myself because it's already modified and installed in the device.
Maybe it should be some certain lower model or brands of the android which doesn't come with the pre-installed Apk that would require the need of the users to manually download it themselves. I'm just trying to say that users who doesn't have to download this malware apk in their device can be free from the threat.

I think you don't read to understand the attacker strategy as explained cause it's like the attacker creating a shadow Google Play store that will look just like the normal one, and the mobile user who wants to download an app through the Play Store will have the impression that they are using the real Google Play store cause it looks just like it. But the only difference is that the fake Google Play store will make the user download their apps through APK instead of the normal Google Play Store downloading model.

[Satofan44]

You have to be pretty dumb to fall for malware like this, it requires several user steps all of which are wrong. The only really dangerous malware would be one that is a complete zero click zero day vulnerability, that is what you should watch out for and the risk increases exponentially if you are using outdated or cheap devices like plenty of people do. Anyway, having a secondary phone where you keep all of those applications and only use it when you need to interact with those applications is the solution to this. If a person does that and they still end up having malware of this kind, they are really dumb and should stop using technology all together.  

Initial infection vector

The campaign begins with a counterfeit website, cupomgratisfood[.]shop, that looks exactly like the Google Play Store. This fake app store contains the “INSS Reembolso” app, which is in fact a Trojan. There are also other apps that are most likely Trojans too, but we haven’t obtained them.

As I was saying, this is mostly for old people or technologically dumb people. This is the equivalent of giving the key to your house to some local criminals and then later being surprised that you got robbed.   "But they pretended to be nice people" is not a valid excuse or justification for an error that is as large as this.

I do not login on my browser, so anytime I want to download an app through the Playstore, I will be required to login but I do not prefer to login because copy/paste the app on the Playstore app to search for the app to download it is faster than to first try to login first on the browser while I have already login on the Playstore app.

I did not know this could have been helping. I will continue to download directly from the Playstore app directly. Also I can be taken from the browser to Playstore where I login to download the app.

I know that there can be fake apps also on the legit Playstore.

You should not be using the Play Store at all, neither logged in or logged out (which most people do not know how to do anyway) or install things other than what is needed initially if you want to have real security on such a device. Most people don't follow this basic advice, but they download all sorts of things on a whim because they are bored and addicted to consuming. The Play Store is not a safe platform, there is malware of all sorts in there all the time.

[promise444c5]

I use Android phone that comes with Google Playstore where I search and download any app I want without going to any website to search for the app. I don't know how I can be exposed such risks with what I explained because from the OP,  the attack is only possible when a person wants to download app from browser. Whatever be the case, I'll still ve careful of downloading anything from the web when I receive such prompts.  

The way it works, you have to visit a  site that looks legit for some reason or whatever , from there you could be tricked to click a button that looks like installing an app from Google play which will eventually land you on the malicious play store clone.
Doesn’t mean the process will be exactly just like above, you just have to be tricked somehow to land their malicious site  (pretty easy to avoid ).

Hence, it’s actually better to navigate or download directly through an official website/source especially when it comes to wallet. If it redirects to play store then fine but you still need to be watchful of what you download..

Here is an interesting one if you think all apps on play store are safe : 77 malicious apps removed from Google Play Store

[bhadz]

When someone sees one like that as they download, report it quickly to google so that they can remove that in their playstore. They have no good filtering system and that's why these kinds of apps done by hackers are able to list on them. And not just that, they're able to trick with such updates into a direct download of their apk. I am not the kind of guy that usually gets into the playstore but even so, there are a lot of these malicious apps that are almost on every platform and even in social media platforms. They can be found there if you're too careless and friendly to strangers.

[Myleschetty]

I was very curious about the title mentioning PIX, since this payment method is from Brazil

Based on what I've read about the attacker. The majority of their victims are PIX app users, though some are cryptocurrency users. They currently concentrate on Brazil (I won't be shocked if they have focused on more countries as we speak due to the information about their attack that is spreading).

You know what.  I have heard of at least five separate attacks or vulnerabilities only in the past two months.  At this point these attacks are so often and demanded that you should all just give up Android Cryptocurrency holding or limit it to as much as a meal in the center of your city.  It is clearly not worth the constant attention we need to put constantly on finding out which other attack has been launched.

There are Hardware Wallets that work together with your phone.  Use these.  Put more effort in keeping your Bitcoin Secure.

Absolutely, you have a point, and I think the most sensible course of action is for all cryptocurrency supporters to refrain from using mobile wallets.