CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Six Android Malware Families Target Pix, Banking Apps, and Crypto Wallets

First reported
Last updated
2 unique sources, 3 articles

Summary

Hide ▲

Six Android malware families continue to target Pix payments, banking apps, and cryptocurrency wallets, with Mirax expanding its capabilities beyond financial theft. The Mirax trojan now integrates residential proxy functionality, enabling attackers to route malicious traffic through compromised devices and evade geographic restrictions. Mirax, previously identified as a banking trojan offered through a malware-as-a-service ecosystem, now operates under a restricted MaaS model targeting Spanish-speaking users with campaigns exceeding 200,000 accounts via social media advertisements. It provides full real-time device control, dynamic fake overlays fetched from C2 servers, and surveillance features including keylogging and lock screen detail collection. Distribution relies on social engineering via illegal streaming app promotions, with malware hosted on GitHub and device evasion techniques. Compromised devices are repurposed as residential proxies for broader cybercriminal activities, including account takeovers and anonymized network attacks.

Timeline

  1. 12.03.2026 09:56 3 articles · 1mo ago

    Six Android Malware Families Target Pix, Banking Apps, and Crypto Wallets

    Six new Android malware families have been discovered, targeting Pix payments, banking apps, and cryptocurrency wallets. These malware families include PixRevolution, TaxiSpy RAT, BeatBanker, Mirax, Oblivion RAT, and SURXRAT. They steal data and conduct financial fraud, with some using advanced techniques like real-time screen monitoring and AI integration. PixRevolution specifically targets Brazil's Pix instant payment platform, hijacking money transfers in real-time. It uses an "agent-in-the-loop" model where a remote operator watches the victim's phone screen in near real time and intervenes at the exact moment a payment is processed. BeatBanker spreads via phishing attacks and uses an unusual persistence mechanism involving an almost inaudible audio file. TaxiSpy RAT abuses Android's accessibility service and MediaProjection APIs to collect sensitive data. Mirax and Oblivion are offered as malware-as-a-service (MaaS) with various capabilities. SURXRAT is marketed through a Telegram-based MaaS ecosystem and includes a ransomware-style screen locker module. The Mirax trojan is now confirmed to combine remote access features with residential proxy capabilities, broadening its impact beyond financial theft. It operates under a restricted MaaS model, targeting Spanish-speaking users with campaigns reaching over 200,000 accounts through social media advertisements. Mirax enables attackers to fully control infected devices in real time, execute commands, monitor activity, and deploy dynamic fake overlays fetched from C2 servers. It integrates continuous keylogging and collects lock screen details such as PIN structure and biometric usage. Distribution relies on social engineering via illegal streaming app promotions, with malware hosted on GitHub and device evasion techniques. Once installed, it decrypts hidden payloads, establishes WebSocket communication for remote control, and converts devices into residential proxy nodes to route malicious traffic through legitimate IP addresses, bypassing geographic restrictions and fraud detection systems.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Cellik Android Malware-as-a-Service Leverages Google Play Apps

A new Android malware-as-a-service (MaaS) named Cellik is being advertised on underground forums. It offers capabilities to embed malicious code into legitimate Google Play apps, creating trojanized versions that appear trustworthy. The malware can capture screen activity, intercept notifications, exfiltrate files, and communicate via encrypted channels. It is sold for $150/month or $900 for lifetime access. Cellik's ability to integrate with Google Play apps may help it bypass Play Protect, although this claim is unconfirmed. The malware can overlay fake login screens, inject malicious code into apps, and turn trusted apps rogue. Users are advised to avoid sideloading APKs, keep Play Protect active, review app permissions, and monitor for unusual activity.

Open in new tab

NFC Relay Malware Surge Targeting European Payment Cards

A surge of NFC relay malware targeting payment cards has been observed in Eastern Europe. Over 760 malicious Android apps have been identified, exploiting Host Card Emulation (HCE) to steal contactless credit card data. The malware captures EMV fields, manipulates APDU commands, and enables unauthorized payments. The malware has evolved into multiple variants, including data harvesters, relay toolkits, and ghost-tap payments. It has spread across Poland, the Czech Republic, Russia, and Slovakia. The apps impersonate Google Pay and various financial institutions, with over 70 command-and-control servers and Telegram bots facilitating the attacks. New research reveals over 54 malicious APK samples, often disguised as legitimate financial apps, are being sold and promoted within Chinese-language cybercrime communities on Telegram. Victims are targeted through smishing and vishing campaigns, and card data is transmitted via C2 servers to complete fraudulent transactions. Prominent vendors like TX-NFC, X-NFC, and NFU Pay sell access to this malware, with TX-NFC alone having over 21,000 subscribers.

Open in new tab

Herodotus Android malware evades detection with human-like typing

A new Android malware family, Herodotus, uses random typing delays to mimic human behavior and evade detection by security software. The malware is offered as a service to financially motivated cybercriminals and is currently targeting Italian and Brazilian users through SMS phishing. Herodotus bypasses Accessibility permission restrictions in Android 13 and later, allowing it to interact with the user interface and steal sensitive information. The malware includes a 'humanizer' mechanism that introduces random delays in text input to avoid detection by behavioral anti-fraud solutions. It also features a control panel for custom SMS texts, overlay pages for credential theft, and SMS stealing for two-factor authentication interception. Herodotus is spread by multiple threat actors, with seven distinct subdomains detected. The malware is under active development and targets financial organizations in the U.S., Turkey, the U.K., and Poland, along with cryptocurrency wallets and exchanges. It is designed to perform device takeover (DTO) attacks and can steal two-factor authentication (2FA) codes sent via SMS, intercept screen content, grab the lockscreen PIN or pattern, and install remote APK files.

Open in new tab

Klopatra Android Trojan Conducts Nighttime Bank Transfers

A new Android banking malware, Massiv, is posing as an IPTV app to steal digital identities and access online banking accounts. The malware targets users in Spain, Portugal, France, and Turkey, with a particular focus on a Portuguese government app connected to Chave Móvel Digital. Massiv uses screen overlays, keylogging, SMS interception, and remote control to obtain sensitive data and can open new accounts in the victim's name for money laundering and loans. The malware provides two remote control modes: screen live-streaming and UI-tree mode, which extracts structured data from the Accessibility Service. This trend of using IPTV apps as lures for Android malware infections has increased over the past eight months. Previously, the Klopatra Android Trojan was identified, capable of performing unauthorized bank transfers while the device is inactive. Klopatra targets users in Italy and Spain, with over 3,000 devices infected. It disguises itself as the Mobdro streaming app and IPTV applications, leveraging their popularity to bypass security measures. The malware employs advanced techniques to evade detection and analysis, including anti-sandboxing methods, a commercial packer, and Hidden Virtual Network Computing (VNC) for remote control. Klopatra operates during nighttime hours, draining victims' bank accounts without alerting them.

Open in new tab

Datzbro Android Trojan Targeting Elderly via AI-Generated Facebook Events

A new Android banking trojan named Datzbro is targeting elderly users through AI-generated Facebook events. The malware, discovered in August 2025, conducts device takeover (DTO) attacks and performs fraudulent transactions. It exploits social engineering tactics to trick victims into downloading malicious APK files from fraudulent links. The threat actors behind Datzbro focus on users in Australia, Singapore, Malaysia, Canada, South Africa, and the U.K. The malware leverages Android's accessibility services to perform remote actions, record audio, capture photos, and steal credentials. It also includes features to hide malicious activities and steal device lock screen PINs and passwords associated with Alipay and WeChat. Datzbro is believed to be the work of a Chinese-speaking threat group, with its command-and-control (C2) backend being a Chinese-language desktop application. The malware has been distributed freely among cybercriminals after a compiled version of the C2 app was leaked.

Open in new tab