A new Android banking Trojan called PixRevolution is targeting Brazil's Pix instant payment system, which is used by over 75% of the Brazilian population. Unlike traditional automated banking malware, PixRevolution combines classic Trojan techniques with a real-time human or AI operator who monitors the victim's screen and hijacks payment transactions at the exact moment they occur. The malware spreads via fake Google Play Store pages impersonating trusted brands, tricks users into enabling Android accessibility services, then establishes a C2 connection giving attackers full device visibility including screen capture, taps, and audio. When a Pix payment is initiated, the attacker diverts funds while displaying a fake 'please wait' overlay. Security experts recommend that financial institutions integrate mobile threat detection into fraud workflows to identify compromised devices before fraudulent transactions complete.
Table of contents
The PixRevolution Difference: AI Agents and Precise Timing WindowsHow to Defend Against PixRevolutionSort: