Real-Time Banking Trojan Strikes Brazil's Pix Users

APPLICATION SECURITY THREAT INTELLIGENCE MOBILE SECURITY IDENTITY & ACCESS MANAGEMENT SECURITY NEWS Breaking cybersecurity news, news analysis, commentary, and other content from around the world, with an initial focus on the Middle East & Africa, Asia Pacific, and Latin America. Real-Time Banking Trojan Strikes Brazil's Pix Users The latest banking Trojan campaign to hit Brazil combines classic malware with a real-time human operator, waiting for the perfect moment to strike. Alexander Culafi,Senior News Writer,Dark Reading March 13, 2026 4 Min Read SOURCE: RAFAEL HENRIQUE VIA ALAMY STOCK PHOTO A new Android-based banking Trojan is targeting mobile payments in Brazil and hijacking them on the way to their destination. Dubbed "PixRevolution," the Trojan relies on the widespread use of Pix, a mobile instant payment system implemented by the Central Bank of Brazil in 2020; more than three quarters of the Brazilian population use it. Researchers from mobile security vendor Zimperium's zLabs team identified a novel banking Trojan "specifically targeting this system and implicitly targeting most Brazilian financial institutions," malware analyst Aazim Yaswant wrote in a blog post. Banking Trojans are unfortunately notorious in South America's largest country; one known as Maverick emerged in 2024 that self-terminates if the victim is located outside Brazil. As for why these attacks are so prevalent, that's a more complicated answer that comes down to the high use of mobile payments in the country, as well as other complexities in the Latin American security landscape.  Related:GlassWorm Malware Evolves to Hide in Dependencies That said, it's worth noting that mobile attacks are an attractive target globally, and have only become increasingly so in recent years.  Kern Smith, VP of global solutions engineering at Zimperium, tells Dark Reading that Brazil is an appealing target to attackers because it has one of the most advanced mobile banking ecosystems in the world. "Large numbers of users rely on mobile apps for everyday banking and payments, creating a high-value attack surface," he says. "Many regional cybercrime groups have also specialized in banking malware for years and have adapted those techniques to mobile devices as financial activity shifted to smartphones." The PixRevolution Difference: AI Agents and Precise Timing Windows What makes PixRevolution stand out compared to other mobile malware is that the malware sits stealthily on the device until the victim initiates a Pix payment. When they do, a human or AI agent attacker actively observes and acts at the moment of transaction, diverting the payment to a criminal entity instead.   Initial access involves trickery and social engineering, as expected. The threat actors behind the campaign made fake Google Play Store pages hosted on their own domains and posing as trusted brands like Expedia or local services such as the post office. They are "perfect replicas," Yaswant wrote; when someone who stumbles on such a page attempts to download an app from the official Play Store, they instead download a malicious Android package kit (APK) file.  That APK file registers a new Android accessibility option called "Enable Revolution," but this is not a legitimate feature. Rather, when launching the app, the malware tells the user to activate the accessibility feature for application functionality (and not data collection) reasons. But when they do that, the Trojan completely takes over the device. It has access to taps, swipes, all on-screen text, and all audio that reaches the microphone.  Related:Xygeni GitHub Action Compromised Via Tag Poison The Trojan also establishes a command-and-control (C2) server through port 9000 and gives the operator access to real-time screen capture with little delay. This gives the threat actor full visibility into what the device sees, enabling them to hijack a bank transfer the moment it happens. Furthermore, the malware has access to a list of more than 80 Portuguese words referring to bank transfers and financial transactions that it checks against every time new text appears on the screen. Finally, in the moment when the victim attempts to send a payment, the attacker puts up an HTML overlay telling them to please wait (Aguarde…) while the hijack takes place behind the scenes. The final step in the attack takes mere seconds from the victim's point of view.  How to Defend Against PixRevolution Yaswant said PixRevolution marks an evolution in mobile financial fraud, combining real-time operators and traditional malware into a novel, precise attack. Related:Microsoft Patches 83 CVEs in March Update "This malware family sidesteps the traditional arms race between automated Trojans and banking app defenses. It does not need to reverse-engineer each bank's UI," the analyst said. "It does not need to maintain a list of target applications. It does not need to guess when a transaction is happening. It simply watches and then acts." Smith tells Dark Reading that in order to combat malware like PixRevolution, organizations "need to recognize that many of these attacks now originate on the mobile device itself." "When malware compromises the device, attackers can intercept authentication codes or manipulate legitimate banking sessions while appearing to be the real user," he says. "Financial institutions should incorporate mobile threat visibility into their fraud detection and authentication workflows to identify compromised devices before fraudulent transactions occur." Read more about: DR Global Latin America About the Author Alexander Culafi Senior News Writer, Dark Reading Alex is an award-winning writer, journalist, and podcast host based in Boston. After cutting his teeth writing for independent gaming publications as a teenager, he graduated from Emerson College in 2016 with a Bachelor of Science in journalism. He has previously been published on VentureFizz, Search Security, Nintendo World Report, and elsewhere. In his spare time, Alex hosts the weekly Nintendo podcast Talk Nintendo Podcast and works on personal writing projects, including two previously self-published science fiction novels. More Insights Industry Reports Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report Cybersecurity Forecast 2026 The ROI of AI in Security ThreatLabz 2025 Ransomware Report Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models More Webinars You May Also Like APPLICATION SECURITY Self-Propagating GlassWorm Attacks VS Code Supply Chain by Elizabeth Montalbano, Contributing Writer OCT 20, 2025 APPLICATION SECURITY 'Lies-in-the-Loop' Attack Defeats AI Coding Agents by Elizabeth Montalbano, Contributing Writer SEP 15, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 APPLICATION SECURITY Microsoft Drops Another Massive Patch Update by Jai Vijayan, Contributing Writer APR 08, 2025