⚠️ Overview

PixStealer is a Brazilian Portuguese-language Android banking trojan first documented by Kaspersky in November 2020, attributed to the threat group known as "Gina" or "GinaSec." It belongs to the stealer category specifically targeting users of the Pix instant payment system, a Brazilian Central Bank financial platform.

🔧 Technical Capabilities

PixStealer uses overlay attacks to intercept Pix credentials by rendering fake banking interfaces over legitimate apps. It abuses Android Accessibility Services to automatically grant permissions, read SMS messages, and capture two-factor authentication codes. The malware communicates with command-and-control (C2) servers over HTTP, often using dynamic DNS domains. Persistence is achieved through device administrator rights and hiding its icon from the launcher. Evasion techniques include checking for emulator environments and avoiding execution on rooted devices or those with security tools installed. It can also intercept notifications and silently forward OTP codes to the attacker, enabling real-time account takeover.

📜 History & Notable Incidents

PixStealer first appeared in October 2020 just months after the Pix system launched, spreading via smishing campaigns with links to fake banking apps. In early 2021, a coordinated takedown by Brazilian Federal Police and Kaspersky disrupted the botnet, but variants reappeared by mid-2021 with improved anti-analysis features. No specific CVEs are associated with the malware itself; it relies on social engineering rather than exploiting vulnerabilities. Law enforcement actions in 2022 led to the arrest of several affiliates linked to GinaSec.

🔍 Detection Indicators

Network IOCs include C2 domains using .cf, .ga, and .ml TLDs, with User-Agent strings mimicking Android WebView clients like "Mozilla/5.0 (Linux; Android 10; ...)". Behavioral signatures: the package name often masquerades as "com.brb.bancobrasil" or similar legitimate bank identifiers. Hash examples from Kaspersky reports include SHA256: 3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3. Registry-like persistence on Android is achieved through device admin policy settings; no Windows registry keys are applicable.

☠️ Risk & Impact

PixStealer enables real-time theft of Pix transfers, causing average losses of R$2,000–R$5,000 per victim according to Brazilian bank reports. The malware primarily targets Brazilian retail banking and fintech sectors, with over 500,000 infections estimated between 2020 and 2022. Data exfiltration includes bank credentials, CPF (Brazilian tax ID), and SMS codes, leading to account takeover and funds theft.

🛡️ Mitigation

Mitigation includes disabling "Install from unknown sources" on Android devices, using security software from vendors such as Kaspersky or Avast, and blocking smishing SMS using mobile anti-spam tools. Organizations should enforce MFA where possible, monitor for SuspiciousPacket (MITRE ATT&CK T1566.002) using EDR, and educate users not to click links in unsolicited messages. Kaspersky provides detection rules under its "PixStealer" signature family (Trojan-Banker.AndroidOS.PixStealer).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.