Cybersecurity researchers have found half-a-dozen new Android malware households that include capabilities to steal information from compromised gadgets and conduct monetary fraud.
The Android malware vary from conventional banking trojans like PixRevolution, TaxiSpy RAT, BeatBanker, Mirax, and Oblivion RAT to full-fledged distant administration instruments reminiscent of SURXRAT.
PixRevolution, based on Zimperium, targets Brazil’s Pix on the spot fee platform, hijacking victims’ cash transfers in real-time to route them to the menace actors as a substitute of the supposed payee.
“This new strain of malware operates stealthily within the device until the moment the victim initiates a Pix transfer,” safety researcher Aazim Yaswant mentioned. “What distinguishes this threat from conventional banking trojans is its fundamental design: a human or AI agent operator is actively engaged on the remote end, observing the victim’s phone screen instantaneously, poised to act at the precise moment of transaction.”
The Android malware propagates through pretend Google Play Retailer app itemizing pages for apps like Expedia, Sicredi, and Correios to trick customers into putting in the malicious dropper APK information. As soon as put in, the apps urge customers to allow accessibility providers to comprehend their targets.
It additionally connects to an exterior server over TCP on port 9000 to ship periodic heartbeat messages containing system data and activate real-time display seize utilizing Android’s MediaProjection API. The primary performance of PixRevolution, although, is the monitoring of the sufferer’s display and serving a pretend overlay as quickly as a sufferer enters the specified quantity and the Pix key of the recipient to provoke the fee.
At that time, the trojan reveals a pretend WebView overlay that claims “Aguarde…” (that means “wait” in Portuguese/Spanish), whereas, within the background, it edits the Pix key with that of the attacker’s to finish the funds switch. Within the last stage, the overlay is eliminated, and the sufferer is displayed a “transfer complete” affirmation display within the Pix app.
“From the victim’s perspective, nothing unusual happened,” Yaswant mentioned. “The app briefly showed a loading indicator, something that occurs routinely during legitimate banking operations. The transfer was confirmed successfully. The amount they intended to send was deducted from their account.”
“It is only later, sometimes much later, that the victim discovers the money went to the wrong account. And because Pix transfers are instant and final, recovery is extraordinarily difficult.”
Brazilian customers have additionally grow to be the goal of one other Android‑primarily based malware marketing campaign referred to as BeatBanker, which spreads primarily via phishing assaults through an internet site disguised because the Google Play Retailer. BeatBanker will get its identify from the usage of an uncommon persistence mechanism that includes taking part in an nearly inaudible audio file, a 5-second recording that includes Chinese language phrases, on a loop to forestall it from being terminated.
Apart from incorporating runtime checks for emulated or evaluation environments, the malware displays battery temperature and proportion, and verifies whether or not the consumer is utilizing the system to begin or cease the Monero miner as required. It makes use of Google’s Firebase Cloud Messaging (FCM) for command‑and‑management (C2).
“To achieve their goals, the malicious APKs carry multiple components, including a cryptocurrency miner and a banking trojan capable of completely hijacking the device and spoofing screens, among other things,” Kaspersky mentioned. “When the user tries to make a USDT transaction, BeatBanker creates overlay pages for Binance and Trust Wallet, covertly replacing the destination address with the threat actor’s transfer address.”
The banking module additionally displays net browsers like Chrome, Edge, Firefox, Courageous, Opera, DuckDuckGo, Dolphin Browser, and sBrowser to URLs accessed by the sufferer. As well as, it helps the power to obtain a protracted checklist of instructions from the server to gather private data and achieve full management of the system.
Current iterations of the marketing campaign have been discovered to drop BTMOB RAT as a substitute of the banking module. It supplies operators with complete distant management, persistent entry, and surveillance over compromised gadgets. BTMOB is assessed to be an evolution of CraxsRAT, CypherRAT, and SpySolr households, all of which have been linked to a Syrian menace actor who goes by the web alias EVLF.
“We also saw the distribution and sale of leaked BTMOB source code on some dark web forums,” the Russian safety vendor mentioned. “This may suggest that the creator of BeatBanker acquired BTMOB from its original author or the source of the leak and is utilizing it as the final payload.”
TaxiSpy RAT, just like PixRevolution, abuses Android’s accessibility service and MediaProjection APIs to gather SMS messages, contacts, name logs, clipboard contents, put in apps checklist, notifications, lock display PINs, and keystrokes, in addition to goal Russian banking, cryptocurrency, and authorities apps by serving overlays to conduct credential theft.
The malware combines conventional banking trojan performance with full RAT capabilities, enabling menace actors to assemble delicate information and execute instructions despatched through Firebase push messages. A number of TaxiSpy samples have been found by each CYFIRMA and Zimperium, indicating energetic efforts on the a part of attackers to evade signature-based detection and blacklist defenses.
“The malware leverages advanced evasion techniques, such as native library encryption, rolling XOR string obfuscation, and real-time VNC-like remote control via WebSocket,” CYFIRMA mentioned. “Its design allows comprehensive device surveillance, including SMS, call logs, contacts, notifications, and banking app monitoring, highlighting its financially motivated and region-specific focus.”
One other Android banking trojan of observe is Mirax, which has been marketed by a menace actor named Mirax Bot as a non-public malware-as-a-service (MaaS) providing for a month-to-month worth of $2,500 for a full model or $1,750 for a light-weight variant. Mirax claims to supply banking overlays, data gathering (e.g., keystrokes, SMS, lock patterns), and a SOCKS5 proxy to route malicious site visitors via compromised gadgets.
Mirax isn’t the one Android MaaS providing detected in current months. A brand new Android distant entry trojan referred to as Oblivion is being bought for round $300 monthly (or $1,900 per yr and $2,200 for lifetime entry) and claims to bypass detection and security measures on gadgets from main producers.
As soon as put in, the malware employs an automatic permission-granting mechanism that requires no interplay from the sufferer. This method, per the vendor, works throughout MIUI / HyperOS (Xiaomi), One UI (Samsung), ColorOS (OPPO), MagicOS (Honor), and OxygenOS (OnePlus).
“What sets it apart isn’t any single feature. It’s the combination: automated permission bypass, hidden remote control, deep persistence, and a point-and-click builder that puts all of it within reach of would-be hackers with even the most minimal level of technical skill,” Certos mentioned.
“Google has made progressive restrictions on accessibility service abuse a priority across successive Android versions. A tool that credibly bypasses those protections on the latest release – and does so across devices from Samsung, Xiaomi, OPPO, and others – represents a genuine challenge to platform-level defenses.”
Additionally commercially distributed via a Telegram-based MaaS ecosystem is an Android malware household referred to as SURXRAT, which is assessed to be an improved model of Arsink. The malware abuses accessibility permissions for persistent management and communicates with a Firebase-based C2 infrastructure to commandeer contaminated gadgets. The malware is marketed on a Telegram channel managed by an Indonesian menace actor.
What’s notable about among the new samples is the presence of a big language mannequin (LLM) element, indicating that the menace actors behind the malware are experimenting with synthetic intelligence (AI) capabilities, together with conventional surveillance. That mentioned, the obtain of the LLM module is triggered solely when particular gaming functions are energetic on the sufferer’s system, or when it receives different goal bundle names dynamically from the server –
- Free Fireplace MAX x JUJUTSU KAISEN (com.dts.freefiremax)
- Free Fireplace x JUJUTSU KAISEN (com.dts.freefireth)
Choose SURXRAT samples additionally incorporate a ransomware-style display locker module that makes it potential for a distant operator to hijack management of a sufferer’s system and deny entry by displaying a full-screen lock message till a fee is made.
“This evolution highlights how existing Android RAT frameworks continue to be repurposed and expanded by threat actors, accelerating malware development cycles and enabling rapid introduction of new surveillance and control functionalities,” Cyble mentioned. “The observed experimentation with large AI model integration further indicates that threat actors are actively exploring emerging technologies to enhance operational effectiveness and evade detection.”
