New PixRevolution Malware Steals Brazil’s PIX Transfers in Real Time

PIX has reshaped Brazil’s financial landscape since its 2020 launch, offering instant, low‑cost transfers that rival traditional banking channels. Its ubiquity—processing billions of transactions each month—makes it a prime target for cybercriminals seeking high‑value, low‑friction theft. While banks have bolstered backend fraud detection, the user‑side experience remains a vulnerable frontier, especially on Android devices where app ecosystems are less controlled than iOS.

PixRevolution leverages the Android Accessibility Service to monitor on‑screen text for over 80 Portuguese payment cues. By presenting a full‑screen "Aguarde…" spinner, the malware creates a window for a remote operator—human or AI—to replace the intended recipient’s PIX key with the attacker’s and trigger the confirmation tap. The dropper apps arrive via counterfeit Google Play‑lookalike sites, masquerading as trusted brands like Expedia or government portals, and include step‑by‑step guides to enable the required permissions, dramatically lowering the technical barrier for victims.

The emergence of agent‑in‑the‑loop attacks signals a shift from purely automated malware to hybrid models that can adapt instantly to user actions, rendering signature‑based defenses less effective. Financial institutions must augment their security stacks with real‑time behavioral analytics and educate users about the dangers of granting Accessibility access to unknown apps. Meanwhile, regulators may need to enforce stricter vetting of third‑party app distributors to protect the integrity of Brazil’s digital payment ecosystem.