PixPirate Malware Uses WhatsApp to Trick Users, Steal Financial Data - 1

Image by Amin Moshrefi, from Unsplash

PixPirate Malware Uses WhatsApp to Trick Users, Steal Financial Data

  • Written by Kiara Fabbri Former Tech News Writer
  • Fact-Checked by Sarah Frazier Former Content Manager

PixPirate malware, spreading via WhatsApp, targets financial apps in Brazil, India, Italy, and Mexico, stealing data and staying hidden.

In a Rush? Here are the Quick Facts!

  • It spreads through phishing messages via SMS and WhatsApp from infected devices.
  • The malware disguises itself as a legitimate financial app for authentication or updates.
  • The malware remains hidden by not displaying an icon on the home screen.

A new wave of malware known as PixPirate is spreading rapidly, primarily targeting banking users in Brazil and India, with its reach extending to Italy and Mexico.

Security researchers from Trusteer Lab have identified this threat, highlighting its sophisticated techniques that trick users into downloading malicious apps disguised as legitimate financial tools, as reported by Security Intelligence .

PixPirate consists of two main components: a downloader and a dropper (called the droppee). The downloader pretends to be an authentication app designed to protect banking accounts. Once installed, it not only runs the malicious dropper but also actively manages its operations, enabling financial fraud.

This app is not available on official platforms like the Google Play Store. Instead, it spreads through phishing messages sent via SMS (known as smishing) or WhatsApp spam from infected users.

Once the downloader is installed, it tricks users into granting permissions by claiming an “update” is required. In reality, this process installs the dropper malware on the victim’s device. The dropper stays hidden, with no icon displayed on the home screen, making detection difficult for users.

Initially identified in Brazil, PixPirate primarily targets the country’s Pix payment system, widely used in Brazilian banking apps. Trusteer Lab reports that around 70% of infections are in Brazil.

However, 20% of cases have been identified in India, where the malware seems to be preparing to target the country’s United Payments Interface (UPI) platform, which facilitates instant payments for millions of users.

Infections have also begun to surface in Italy and Mexico, suggesting the attackers aim to expand their operations globally. The malware’s developers use tools like instructional YouTube videos to guide victims on granting permissions, further aiding its spread.

A unique feature of PixPirate is its integration with WhatsApp to send phishing messages from infected devices. By accessing victims’ contact lists, it spreads itself by sending messages that appear to come from trusted sources, exploiting the recipient’s sense of security.

During this activity, PixPirate uses an overlay to hide its operations from the user, ensuring the victim remains unaware. Security Intelligence notes that PixPirate employs sophisticated methods, including remote access, SMS interception, and anti-removal capabilities.

It even uses Android’s accessibility services to mimic human interaction, such as clicking buttons to send WhatsApp messages. These features enable the malware to perform fraud automatically and stealthily.

PixPirate’s resurgence highlights the growing sophistication of cybercriminal operations targeting mobile banking platforms worldwide. Users are advised to avoid downloading apps from unknown sources, scrutinize unexpected messages, and use strong cybersecurity measures to protect their devices.

Hackers Exploit Game Engine To Spread Cross-Platform Malware - 2

Image by Yan Krukau, from Pexels

Hackers Exploit Game Engine To Spread Cross-Platform Malware

  • Written by Kiara Fabbri Former Tech News Writer
  • Fact-Checked by Sarah Frazier Former Content Manager

Hackers exploit the Godot Engine to spread undetected malware, targeting devices across platforms via GitHub’s Stargazers Ghost Network.

In a Rush? Here are the Quick Facts!

  • Stargazers Ghost Network distributes GodLoader via 200 GitHub repositories.
  • The malware targets multiple platforms, including Windows, macOS, Linux, and Android.
  • Over 1.2 million users of Godot-developed games are potential targets of this attack.

Cybersecurity researchers at Check Point have discovered a new technique that exploits the Godot Engine, an open-source tool used for creating video games, to deliver malware.

This method uses Godot’s scripting language, GDScript, to execute harmful commands, allowing attackers to infect devices while remaining undetected by most antivirus software.

Godot is a popular game development platform known for its flexibility and ability to support various operating systems, including Windows, macOS, Linux, Android, and iOS.

Its open-source nature has made it a favorite among developers. Unfortunately, its flexibility has also made it a target for cybercriminals.

The newly identified malware, called “GodLoader,” takes advantage of the Godot Engine’s features to install malicious software on victims’ devices. The malware is distributed through a network operating on GitHub, known as the Stargazers Ghost Network.

This network disguises malicious files as legitimate software and shares them via repositories that appear trustworthy. Between September and October 2024, around 200 GitHub repositories were used to distribute GodLoader, tricking users into downloading infected files.

This technique is particularly concerning because it targets multiple platforms. The Godot Engine’s cross-platform design enables attackers to spread malware across various devices, including Windows PCs, Mac computers, and Linux systems.

Android devices are also at risk, with slight adjustments to the malware’s structure. While iOS devices are less vulnerable due to strict security protocols, the threat still looms large for a broad range of users.

The scale of this attack is significant. Over 1.2 million players could be targeted if cybercriminals successfully compromise games developed with the Godot Engine.

Attackers could exploit downloadable game content, such as mods, to deliver malicious payloads. Once the files are executed, they could steal sensitive information, install additional malware, or even disrupt systems.

Despite the severity of the threat, most antivirus programs fail to detect this type of malware. By embedding harmful scripts within legitimate-looking files, attackers bypass standard security measures, spreading malware undetected.

Gamers and developers are advised to exercise caution, avoid downloading files from unofficial sources, and ensure that their antivirus software is up to date. This discovery highlights the growing sophistication of cyberattacks and the importance of vigilance in an increasingly interconnected digital environment.