A new Android-based banking Trojan named PixRevolution targets Brazil’s Pix mobile payments, sitting stealthily on the device until the user initiates a transfer. According to Aazim Yaswant in a blog post, the campaign combines real-time operators or AI agents with classic malware to hijack payments as they occur, diverting funds to criminals in real time.
Initial access is via fake Google Play Store pages that download a malicious APK, which registers a fictitious Android accessibility option called “Enable Revolution” to take control of taps, swipes, on-screen text and microphone audio. The Trojan establishes a command-and-control server on port 9000, enabling the operator to view the screen in real time and apply a hijack the moment a transaction happens, aided by a list of more than 80 Portuguese banking terms used to monitor on-screen text.
In the final step, an overlay stating “Aguarde…” appears while the fraud takes place behind the scenes. PixRevolution is framed as an evolution in mobile financial fraud, combining real-time operators and traditional malware into a precise, real-time attack.