Six Android Malware Families Target Pix, Banking Apps, and Crypto Wallets

First reported

12.03.2026 09:56

Last updated

12.03.2026 18:00

2 unique sources, 2 articles

Summary

Hide ▲

Six new Android malware families have been discovered, targeting Pix payments, banking apps, and cryptocurrency wallets. These malware families include PixRevolution, TaxiSpy RAT, BeatBanker, Mirax, Oblivion RAT, and SURXRAT. They steal data and conduct financial fraud, with some using advanced techniques like real-time screen monitoring and AI integration. PixRevolution specifically targets Brazil's Pix instant payment platform, hijacking money transfers in real-time. It uses an "agent-in-the-loop" model where a remote operator watches the victim's phone screen in near real time and intervenes at the exact moment a payment is processed. BeatBanker spreads via phishing attacks and uses an unusual persistence mechanism involving an almost inaudible audio file. TaxiSpy RAT abuses Android's accessibility service and MediaProjection APIs to collect sensitive data. Mirax and Oblivion are offered as malware-as-a-service (MaaS) with various capabilities. SURXRAT is marketed through a Telegram-based MaaS ecosystem and includes a ransomware-style screen locker module.

Timeline

12.03.2026 09:56 2 articles · 12h ago

Six Android Malware Families Target Pix, Banking Apps, and Crypto Wallets
Six new Android malware families have been discovered, targeting Pix payments, banking apps, and cryptocurrency wallets. These malware families include PixRevolution, TaxiSpy RAT, BeatBanker, Mirax, Oblivion RAT, and SURXRAT. They steal data and conduct financial fraud, with some using advanced techniques like real-time screen monitoring and AI integration. PixRevolution specifically targets Brazil's Pix instant payment platform, hijacking money transfers in real-time. It uses an "agent-in-the-loop" model where a remote operator watches the victim's phone screen in near real time and intervenes at the exact moment a payment is processed. BeatBanker spreads via phishing attacks and uses an unusual persistence mechanism involving an almost inaudible audio file. TaxiSpy RAT abuses Android's accessibility service and MediaProjection APIs to collect sensitive data. Mirax and Oblivion are offered as malware-as-a-service (MaaS) with various capabilities. SURXRAT is marketed through a Telegram-based MaaS ecosystem and includes a ransomware-style screen locker module.
Show sources

Six Android Malware Families Target Pix Payments, Banking Apps, and Crypto Wallets — thehackernews.com — 12.03.2026 09:56

PixRevolution Malware Hijacks Brazil's PIX Transfers in Real Time — www.infosecurity-magazine.com — 12.03.2026 18:00
Open in new tab

Information Snippets

PixRevolution targets Brazil's Pix instant payment platform, hijacking money transfers in real-time.
First reported: 12.03.2026 09:56

2 sources, 2 articles
Show sources
- Six Android Malware Families Target Pix Payments, Banking Apps, and Crypto Wallets — thehackernews.com — 12.03.2026 09:56
- PixRevolution Malware Hijacks Brazil's PIX Transfers in Real Time — www.infosecurity-magazine.com — 12.03.2026 18:00
BeatBanker spreads via phishing attacks and uses an unusual persistence mechanism involving an almost inaudible audio file.
First reported: 12.03.2026 09:56

1 source, 1 article
Show sources
- Six Android Malware Families Target Pix Payments, Banking Apps, and Crypto Wallets — thehackernews.com — 12.03.2026 09:56
TaxiSpy RAT abuses Android's accessibility service and MediaProjection APIs to collect sensitive data.
First reported: 12.03.2026 09:56

1 source, 1 article
Show sources
- Six Android Malware Families Target Pix Payments, Banking Apps, and Crypto Wallets — thehackernews.com — 12.03.2026 09:56
Mirax is offered as a malware-as-a-service (MaaS) with banking overlays, information gathering, and a SOCKS5 proxy.
First reported: 12.03.2026 09:56

1 source, 1 article
Show sources
- Six Android Malware Families Target Pix Payments, Banking Apps, and Crypto Wallets — thehackernews.com — 12.03.2026 09:56
Oblivion RAT is sold for around $300 per month and claims to bypass detection and security features on devices from major manufacturers.
First reported: 12.03.2026 09:56

1 source, 1 article
Show sources
- Six Android Malware Families Target Pix Payments, Banking Apps, and Crypto Wallets — thehackernews.com — 12.03.2026 09:56
SURXRAT is marketed through a Telegram-based MaaS ecosystem and includes a ransomware-style screen locker module.
First reported: 12.03.2026 09:56

1 source, 1 article
Show sources
- Six Android Malware Families Target Pix Payments, Banking Apps, and Crypto Wallets — thehackernews.com — 12.03.2026 09:56
PixRevolution uses an "agent-in-the-loop" model where a remote operator watches the victim's phone screen in near real time and intervenes at the exact moment a payment is processed.
First reported: 12.03.2026 18:00

1 source, 1 article
Show sources
- PixRevolution Malware Hijacks Brazil's PIX Transfers in Real Time — www.infosecurity-magazine.com — 12.03.2026 18:00
PixRevolution spreads through fraudulent download pages designed to resemble the official Google Play store.
First reported: 12.03.2026 18:00

1 source, 1 article
Show sources
- PixRevolution Malware Hijacks Brazil's PIX Transfers in Real Time — www.infosecurity-magazine.com — 12.03.2026 18:00
PixRevolution relies on continuous monitoring through Android accessibility permissions, live screen streaming to an attacker-controlled command server, keyword detection to identify financial transactions, and a fake loading overlay that hides the moment payment details are replaced.
First reported: 12.03.2026 18:00

1 source, 1 article
Show sources
- PixRevolution Malware Hijacks Brazil's PIX Transfers in Real Time — www.infosecurity-magazine.com — 12.03.2026 18:00

Similar Happenings

Cellik Android Malware-as-a-Service Leverages Google Play Apps

A new Android malware-as-a-service (MaaS) named Cellik is being advertised on underground forums. It offers capabilities to embed malicious code into legitimate Google Play apps, creating trojanized versions that appear trustworthy. The malware can capture screen activity, intercept notifications, exfiltrate files, and communicate via encrypted channels. It is sold for $150/month or $900 for lifetime access. Cellik's ability to integrate with Google Play apps may help it bypass Play Protect, although this claim is unconfirmed. The malware can overlay fake login screens, inject malicious code into apps, and turn trusted apps rogue. Users are advised to avoid sideloading APKs, keep Play Protect active, review app permissions, and monitor for unusual activity.

Open in new tab

NFC Relay Malware Surge Targeting European Payment Cards

A surge of NFC relay malware targeting payment cards has been observed in Eastern Europe. Over 760 malicious Android apps have been identified, exploiting Host Card Emulation (HCE) to steal contactless credit card data. The malware captures EMV fields, manipulates APDU commands, and enables unauthorized payments. The malware has evolved into multiple variants, including data harvesters, relay toolkits, and ghost-tap payments. It has spread across Poland, the Czech Republic, Russia, and Slovakia. The apps impersonate Google Pay and various financial institutions, with over 70 command-and-control servers and Telegram bots facilitating the attacks. New research reveals over 54 malicious APK samples, often disguised as legitimate financial apps, are being sold and promoted within Chinese-language cybercrime communities on Telegram. Victims are targeted through smishing and vishing campaigns, and card data is transmitted via C2 servers to complete fraudulent transactions. Prominent vendors like TX-NFC, X-NFC, and NFU Pay sell access to this malware, with TX-NFC alone having over 21,000 subscribers.

Open in new tab

Klopatra Android Trojan Conducts Nighttime Bank Transfers

A new Android banking malware, Massiv, is posing as an IPTV app to steal digital identities and access online banking accounts. The malware targets users in Spain, Portugal, France, and Turkey, with a particular focus on a Portuguese government app connected to Chave Móvel Digital. Massiv uses screen overlays, keylogging, SMS interception, and remote control to obtain sensitive data and can open new accounts in the victim's name for money laundering and loans. The malware provides two remote control modes: screen live-streaming and UI-tree mode, which extracts structured data from the Accessibility Service. This trend of using IPTV apps as lures for Android malware infections has increased over the past eight months. Previously, the Klopatra Android Trojan was identified, capable of performing unauthorized bank transfers while the device is inactive. Klopatra targets users in Italy and Spain, with over 3,000 devices infected. It disguises itself as the Mobdro streaming app and IPTV applications, leveraging their popularity to bypass security measures. The malware employs advanced techniques to evade detection and analysis, including anti-sandboxing methods, a commercial packer, and Hidden Virtual Network Computing (VNC) for remote control. Klopatra operates during nighttime hours, draining victims' bank accounts without alerting them.

Open in new tab

Datzbro Android Trojan Targeting Elderly via AI-Generated Facebook Events

A new Android banking trojan named Datzbro is targeting elderly users through AI-generated Facebook events. The malware, discovered in August 2025, conducts device takeover (DTO) attacks and performs fraudulent transactions. It exploits social engineering tactics to trick victims into downloading malicious APK files from fraudulent links. The threat actors behind Datzbro focus on users in Australia, Singapore, Malaysia, Canada, South Africa, and the U.K. The malware leverages Android's accessibility services to perform remote actions, record audio, capture photos, and steal credentials. It also includes features to hide malicious activities and steal device lock screen PINs and passwords associated with Alipay and WeChat. Datzbro is believed to be the work of a Chinese-speaking threat group, with its command-and-control (C2) backend being a Chinese-language desktop application. The malware has been distributed freely among cybercriminals after a compiled version of the C2 app was leaked.

Open in new tab

GPUGate Malware Campaign Targets IT Firms in Western Europe

The **GPUGate malware campaign** continues to evolve, now leveraging **Claude AI artifacts and Google Ads** to distribute **MacSync and AMOS infostealers** via **ClickFix attacks**. Over **15,600 users** have accessed malicious Claude-generated guides, which instruct victims to execute Terminal commands fetching malware payloads. This follows earlier waves abusing **ChatGPT/Grok chats, fake GitHub repositories, and malvertising** to deploy stealers targeting credentials, crypto wallets, and system data. The campaign, active since **April 2023**, has expanded from traditional phishing to **abusing AI ecosystems, supply-chain weaknesses, and trusted platforms** (e.g., Homebrew, LogMeIn, AI assistants). Russian-speaking actors operate **AMOS as a Malware-as-a-Service (MaaS)**, with stolen logs sold in underground markets to fuel fraud, ransomware, and account takeovers. The latest **Claude artifact abuse** underscores the shift toward **high-impact, scalable distribution channels**, exploiting weak platform vetting and user trust in AI-generated content. Organizations should monitor for **suspicious Terminal activity, C2 traffic to domains like `a2abotnet[.]com`, and unauthorized data egress** while educating users on **ClickFix-style lures** and unverified AI tool instructions.

Open in new tab