PIXREVOLUTION is an Android banking trojan that quietly sits on a victim’s device and can hijack Brazil’s instant PIX transfers in real time, according to Zimperium’s analysis. The malware monitors the device and, during a PIX transaction, replaces the recipient’s payment key with one controlled by attackers, allowing the transfer to complete with the victim unaware of the diversion.
It uses an “agent-in-the-loop” model, with a remote operator watching the victim’s screen in near real time and intervening at the moment a payment is processed. The attack chain includes a fake loading overlay reading “Aguarde…”, a loading screen that hides the precise moment when payment details are replaced, and techniques such as continuous monitoring, live screen streaming, and keyword detection.
The campaign spreads via fraudulent download pages mimicking the Google Play store, where users are prompted to enable an accessibility service called “Revolution” that grants extensive device access. Brazil’s PIX, launched in 2020 by the Central Bank of Brazil, now has more than 76% of Brazilians using it and processes over three billion transactions each month.