Cybersecurity researchers recently uncovered half-a-dozen new Android malware families capable of stealing data from compromised devices and committing financial fraud.
Specifically, these Android malware families range from traditional banking trojans such as PixRevolution, TaxiSpy RAT, BeatBanker, Mirax, and Oblivion RAT to advanced remote administration tools (RATs) like SURXRAT.
Notably, PixRevolution, according to Zimperium, directly targets Brazil’s Pix instant payment platform, hijacking victims’ money transfers in real time and redirecting them to threat actors instead of the intended recipient.
“This new strain of malware operates stealthily within the device until the moment the victim initiates a Pix transfer,” security researcher Aazim Yaswant said. “What distinguishes this threat from conventional banking trojans is its fundamental design: a human or AI agent operator is actively engaged on the remote end, observing the victim’s phone screen instantaneously, poised to act at the precise moment of transaction.”
Fake Google Play Pages Used to Spread Malware
Furthermore, attackers distribute this Android malware through fake Google Play Store listing pages for popular apps such as Expedia, Sicredi, and Correios. These deceptive pages trick users into downloading malicious dropper APK files.
After installation, the rogue apps prompt victims to enable Android accessibility services, which the malware later abuses to execute its operations.
Additionally, the malware connects to an external command server over TCP port 9000, sending periodic heartbeat messages that contain device information. At the same time, it activates real-time screen capture through Android’s MediaProjection API.
However, the core function of PixRevolution involves monitoring the victim’s screen and deploying a fake overlay immediately after a user enters the payment amount and Pix key to initiate a transfer.
At that stage, the trojan displays a fake WebView overlay showing the message “Aguarde…” (meaning “wait” in Portuguese/Spanish). Meanwhile, the malware secretly replaces the Pix key with the attacker’s address and completes the fraudulent transaction.
Finally, the overlay disappears, and the victim sees a “transfer complete” confirmation screen inside the Pix app.
“From the victim’s perspective, nothing unusual happened,” Yaswant said. “The app briefly showed a loading indicator, something that occurs routinely during legitimate banking operations. The transfer was confirmed successfully. The amount they intended to send was deducted from their account.”
“It is only later, sometimes much later, that the victim discovers the money went to the wrong account. And because Pix transfers are instant and final, recovery is extraordinarily difficult.”
BeatBanker Campaign Targets Brazilian Users
Meanwhile, Brazilian users also face attacks from another Android malware campaign called BeatBanker, which spreads mainly through phishing websites disguised as the Google Play Store.
The malware earns the name BeatBanker because it maintains persistence through an unusual technique: it continuously plays a nearly inaudible 5-second audio loop containing Chinese words, preventing the system from terminating the process.
In addition, the malware performs runtime checks for emulated or analysis environments, monitors battery temperature and percentage, and determines whether the device should start or stop a Monero cryptocurrency miner. To manage communications, it relies on Google Firebase Cloud Messaging (FCM) for command-and-control (C2) operations.
“To achieve their goals, the malicious APKs carry multiple components, including a cryptocurrency miner and a banking trojan capable of completely hijacking the device and spoofing screens, among other things,” Kaspersky said. “When the user tries to make a USDT transaction, BeatBanker creates overlay pages for Binance and Trust Wallet, covertly replacing the destination address with the threat actor’s transfer address.”
Malware Monitors Browsers and Steals Sensitive Data
Additionally, the banking module actively monitors popular web browsers including Chrome, Edge, Firefox, Brave, Opera, DuckDuckGo, Dolphin Browser, and Samsung’s sBrowser to track URLs accessed by victims.
Moreover, the malware receives a long list of remote commands from its server, enabling attackers to collect personal information and gain full control of the infected device.
Recent versions of the campaign now deploy BTMOB RAT instead of the original banking module. This malware provides attackers with persistent remote control, device surveillance, and long-term access to compromised smartphones.
Researchers believe BTMOB evolved from the CraxsRAT, CypherRAT, and SpySolr malware families, which investigators previously linked to a Syrian threat actor known as EVLF.
“We also saw the distribution and sale of leaked BTMOB source code on some dark web forums,” the Russian security vendor said. “This may suggest that the creator of BeatBanker acquired BTMOB from its original author or the source of the leak and is utilizing it as the final payload.”
TaxiSpy RAT Expands Surveillance Capabilities
Similarly, TaxiSpy RAT abuses Android accessibility services and MediaProjection APIs to collect sensitive information including SMS messages, contacts, call logs, clipboard data, installed applications, notifications, lock screen PINs, and keystrokes.
Additionally, the malware targets Russian banking, cryptocurrency, and government applications through overlay attacks designed to steal credentials.
This malware merges traditional banking trojan features with full remote access trojan (RAT) capabilities, allowing attackers to gather sensitive data and execute commands delivered through Firebase push messages.
Both CYFIRMA and Zimperium have identified multiple TaxiSpy samples, which suggests that attackers continue to modify the malware to evade signature-based detection and blocklist defenses.
“The malware leverages advanced evasion techniques, such as native library encryption, rolling XOR string obfuscation, and real-time VNC-like remote control via WebSocket,” CYFIRMA said. “Its design allows comprehensive device surveillance, including SMS, call logs, contacts, notifications, and banking app monitoring, highlighting its financially motivated and region-specific focus.”
Mirax and Oblivion Sold as Malware-as-a-Service
Another notable Android banking trojan, Mirax, now operates as a malware-as-a-service (MaaS) platform. A threat actor known as Mirax Bot advertises the malware for $2,500 per month for the full version or $1,750 for a lighter variant.
According to the advertisement, Mirax includes features such as banking overlays, keystroke logging, SMS interception, lock-pattern collection, and a SOCKS5 proxy that routes malicious traffic through infected devices.
Meanwhile, another Android MaaS tool, Oblivion RAT, sells for about $300 per month, $1,900 per year, or $2,200 for lifetime access. The malware claims to bypass device security protections across several major Android manufacturers.
Once installed, the malware automatically grants required permissions without user interaction. According to the seller, this technique works across MIUI / HyperOS (Xiaomi), One UI (Samsung), ColorOS (OPPO), MagicOS (Honor), and OxygenOS (OnePlus).
“What sets it apart isn’t any single feature. It’s the combination: automated permission bypass, hidden remote control, deep persistence, and a point-and-click builder that puts all of it within reach of would-be hackers with even the most minimal level of technical skill,” Certos said.
“Google has made progressive restrictions on accessibility service abuse a priority across successive Android versions. A tool that credibly bypasses those protections on the latest release – and does so across devices from Samsung, Xiaomi, OPPO, and others – represents a genuine challenge to platform-level defenses.”
SURXRAT Malware Experiments With AI Components
Finally, attackers also distribute SURXRAT, an Android remote access trojan linked to a Telegram-based MaaS ecosystem. Researchers believe this malware represents an improved version of Arsink RAT.
The malware abuses accessibility permissions to maintain persistent control and communicates with a Firebase-based command-and-control infrastructure to manage infected devices. An Indonesian threat actor promotes and sells the malware through a Telegram channel.
Interestingly, several SURXRAT samples now include a large language model (LLM) component, which suggests that attackers experiment with artificial intelligence (AI) features alongside traditional surveillance tools.
However, the malware downloads the LLM module only under specific conditions, such as when these gaming applications run on the device:
- Free Fire MAX x JUJUTSU KAISEN (com.dts.freefiremax)
- Free Fire x JUJUTSU KAISEN (com.dts.freefireth)
Some SURXRAT variants also contain a ransomware-style screen locker, allowing attackers to lock the device completely until the victim pays a ransom.
“This evolution highlights how existing Android RAT frameworks continue to be repurposed and expanded by threat actors, accelerating malware development cycles and enabling rapid introduction of new surveillance and control functionalities,” Cyble said. “The observed experimentation with large AI model integration further indicates that threat actors are actively exploring emerging technologies to enhance operational effectiveness and evade detection.”
Source: TheHackerNews
Read more at Impreza News
