Virus that diverts Pix is ​​booming in the country; know how to protect yourself – 09/13/2023 – Tech

After the ghost hand scam, a cell phone virus capable of embezzling money via Pix has been growing in Brazil, according to cybersecurity company Kaspersky. The technology developed by Brazilian criminals was detected in December and, although restricted to the country, it is already the second most registered fraud in all of Latin America.

The malicious program accounts for 1,385 scam records in 2023, according to the survey carried out at the request of Sheet. The leadership in Latin American countries belongs to viruses from the Banbra family, used for remote access to smartphones in the phantom hand, with 2,039 occurrences.

In Pix fraud, criminals are able to change the recipient and the transfer amount. The malicious program (malware) works in the step before requesting the password — the few signs are screen shakes and slow loading times. Scammers take up to 95% of the account balance in a single scam.

To infect cell phones, crackers — hackers focused on criminal activities — use fake notifications and applications. In one of the episodes, for example, the scam began with the announcement of a WhatsApp update, which redirected to a simulacrum of the messaging app. Anyone who downloaded the “Whats App v2.5 Update” program was compromised.

See the effects of the virus on the functioning of the banking application in the video below.

The app was taken down from Google Play, after notice from Kaspersky. The company’s senior security analyst Fabio Marenghi states that he maintains constant contact with the company responsible for the Android operating system. The criminals’ mode of operation was presented at Kaspersky’s Latin American Cybersecurity Conference, held in Costa Rica.

In a note sent to the report, Google states that security in its app store is a priority. “Our users are protected by Google Play Protect, which identifies harmful behavior on Android apps and devices and alerts users.”

Viruses also exist for Apple devices, such as iPhones, but are less common.

This malicious program model offers advantages to cybercriminals by allowing large-scale operations. Unlike the ghost hand scam, which requires direct intervention from the fraudster, Pix’s diversion is carried out automatically by the software itself.

TAKE COVER

The malware gains access to sensitive data through so-called accessibility options — features that help people with sensory or movement disabilities, such as text reader and automatic clicking.

Thus, the program analyzes geolocation information, step counter (pedometer), time and other data from the device to calculate the times when users are most likely to use banking applications. To do this, he spends time just spying on the routine of the person he is targeting.

This preparation allows the automatic triggering of the virus, which is ready to tamper with Pix.

To prevent the scam, the first step is to be suspicious of any notification that asks for “access to accessibility options.” This applies to both browser and application requests, according to Marenghi.

This permission gives broad access to the smartphone’s functionalities and is only necessary for those who need some assistance from the device to use applications, which must be selected carefully.

After carrying out the fraud, the malicious program itself uninstalls itself to erase traces.

Cybercriminals choose Pix as their operating point due to its speed. With instant payment technology, it is possible to spread money across multiple accounts. This makes it very difficult to track values, according to the director of Kaspersky’s Global Research and Analysis Team, Fabio Assolini.

Researchers from cybersecurity companies have been following Pix’s diversion tactics since the end of 2022. The first malware in the family known to the public was Brasdex. The cybersecurity company that serves financial institutions, Allow Me, claims that it can already identify the virus and prevent losses.

As cybercriminals organize themselves into communities and exchange information, there are other malicious programs that work similarly.

The tactic known as ATS, of automatically diverting payments, was applied to personal computers in the early 2010s. It was replaced by remote access scams, as banks put in place efficient protections to stop it.

For cell phones, these barriers are still in development. Still, infecting smartphones with malicious code is more difficult, as the operating systems on these devices give users less freedom to install programs and make customizations.

VIRUSES AS A SERVICE

Crackers also make a profit by selling ready-made malicious programs to third parties. On YouTube, there are videos with instructions on how to perform the ghost hand scam, after paying for the Ghost Rat program.

The Ghost Rat channel provides contact links on WhatsApp and Telegram and has 102 thousand subscribers. The content encourages the audience to supposedly acquire the malware to make money, such as the video “See how to clean your customers.”

Another advertisement for the virus on a forum says: “Are you going to live an insect’s life? Come and learn how to rob banks from the first on the internet.”

COMPUTERS ARE STILL PREFERRED TARGET

Trojan viruses against personal computers are the most recurrent attacks in the country, with 1.877 million occurrences detected by Kaspersky.

The number of detections of these malicious programs grew 32% between August 2022 and July 2023, compared to the previous 12 months. Among the 12 most common viruses found in Latin America, 7 came from the hands of Brazilian developers.

The focus of Brazilian cybercriminals on personal computers goes against the national preference for mobile banking — the use of banking services on smartphones.

Cell phones accounted for 66% of banking transactions in 2022, shows the 2023 Febraban Banking Technology survey. Computers represent 14% of this total.

_{Journalist traveled at the invitation of Kaspersky}