Six Android Malware Families Target Pix Payments, Banking Apps, and Crypto Wallets

Cybersecurity researchers have uncovered six new Android malware families that combine traditional banking trojan capabilities with advanced remote access features to target financial services, cryptocurrency wallets, and instant payment platforms.

PixRevolution Targets Brazil's Pix Payment System

PixRevolution represents a sophisticated evolution in mobile banking malware, specifically designed to hijack Brazil's Pix instant payment platform. Unlike conventional banking trojans that steal credentials, PixRevolution operates in real-time during transactions.

"This new strain of malware operates stealthily within the device until the moment the victim initiates a Pix transfer," said security researcher Aazim Yaswant. "What distinguishes this threat from conventional banking trojans is its fundamental design: a human or AI agent operator is actively engaged on the remote end, observing the victim's phone screen instantaneously, poised to act at the precise moment of transaction."

The malware spreads through fake Google Play Store app listings for popular services like Expedia, Sicredi, and Correios. Once installed, it requests accessibility service permissions and establishes connections to external servers on port 9000 for device monitoring.

During a Pix transfer, PixRevolution displays a fake "Aguarde..." (meaning "wait" in Portuguese) overlay while silently replacing the recipient's Pix key with the attacker's. The victim sees a successful transfer confirmation, unaware that funds went to the wrong account.

"From the victim's perspective, nothing unusual happened," Yaswant explained. "The app briefly showed a loading indicator, something that occurs routinely during legitimate banking operations. The transfer was confirmed successfully. The amount they intended to send was deducted from their account. It is only later, sometimes much later, that the victim discovers the money went to the wrong account."

BeatBanker Uses Inaudible Audio for Persistence

Brazilian users face another threat from BeatBanker, which spreads through phishing websites disguised as Google Play Store. The malware employs an unusual persistence mechanism: playing a 5-second inaudible audio recording featuring Chinese words on a continuous loop to prevent termination.

BeatBanker incorporates runtime checks for emulated environments and monitors battery conditions to control its cryptocurrency mining operations. It uses Google's Firebase Cloud Messaging for command-and-control communications.

When users attempt USDT transactions, BeatBanker creates overlay pages for Binance and Trust Wallet, replacing destination addresses with those controlled by threat actors. The malware also monitors multiple browsers including Chrome, Edge, Firefox, Brave, Opera, and DuckDuckGo to capture banking credentials.

Recent BeatBanker variants have begun dropping BTMOB RAT instead of the banking module. BTMOB provides comprehensive remote control capabilities and is linked to a Syrian threat actor known as EVLF. The malware's source code has been leaked on dark web forums, suggesting wider distribution.

TaxiSpy RAT Combines Banking and RAT Functionality

TaxiSpy RAT abuses Android's accessibility services and MediaProjection APIs to collect SMS messages, contacts, call logs, clipboard contents, and keystrokes. It specifically targets Russian banking, cryptocurrency, and government applications through overlay attacks.

"The malware leverages advanced evasion techniques, such as native library encryption, rolling XOR string obfuscation, and real-time VNC-like remote control via WebSocket," according to CYFIRMA. The malware's design enables comprehensive device surveillance and financially motivated operations focused on Russian users.

Mirax and Oblivion Offer Malware-as-a-Service

Mirax represents a private malware-as-a-service offering advertised by a threat actor named Mirax Bot. Priced at $2,500 monthly for the full version or $1,750 for a light variant, Mirax claims to provide banking overlays, keystroke logging, SMS interception, and SOCKS5 proxy capabilities.

Oblivion takes a different approach, being sold for approximately $300 per month or $1,900 annually. The malware claims to bypass detection across devices from major manufacturers including Samsung, Xiaomi, OPPO, Honor, and OnePlus. Its automated permission-granting mechanism requires no victim interaction.

"What sets it apart isn't any single feature. It's the combination: automated permission bypass, hidden remote control, deep persistence, and a point-and-click builder that puts all of it within reach of would-be hackers with even the most minimal level of technical skill," noted Certos.

SURXRAT Integrates AI and Ransomware Features

SURXRAT, distributed through a Telegram-based MaaS ecosystem, represents an improved version of Arsink malware. The threat abuses accessibility permissions for persistent control and communicates with Firebase-based command-and-control infrastructure.

Notably, SURXRAT samples contain large language model components, indicating threat actors are experimenting with AI capabilities. The LLM module activates only when specific gaming applications are running or when target package names are received from the server.

Some SURXRAT samples also incorporate ransomware-style screen locker modules, allowing remote operators to hijack device control and display full-screen lock messages until payment is made.

"This evolution highlights how existing Android RAT frameworks continue to be repurposed and expanded by threat actors, accelerating malware development cycles and enabling rapid introduction of new surveillance and control functionalities," Cyble observed.

The emergence of these six malware families demonstrates the increasing sophistication of mobile financial threats, with attackers combining traditional banking trojan techniques with remote access capabilities, AI experimentation, and malware-as-a-service business models to target users across multiple regions and financial platforms.