Triage Logo
Back to all articles
ThreatBrief Application SecurityMobile SecurityThreat Intelligence

Analysis of PixRevolution: Real-Time Interception of Brazil's Pix Payment System

Security researchers have identified PixRevolution, a strain of Android banking malware that intercepts instant payments by streaming device screens to remote operators. Defending against this requires organizations to integrate device-level threat visibility directly into their fraud detection workflows to identify unauthorized access before transactions complete.

Triage Security Media Team
3 min read

A newly identified Android banking trojan, designated PixRevolution, is actively targeting mobile payments within Brazil's Pix instant payment framework. Analyzed by researchers from Zimperium’s zLabs team, the malware intercepts financial transfers during the transaction process.

The Pix system, implemented by the Central Bank of Brazil in 2020, processes over three billion transactions monthly and is utilized by more than 75% of the Brazilian population. Because Pix transfers settle instantly and are irrevocable, the platform requires precise security controls. According to Zimperium malware analyst Aazim Yaswant, PixRevolution is engineered specifically to operate within this zero-delay environment by utilizing real-time remote operators rather than relying exclusively on automated scripts.

Brazil’s highly adopted mobile financial ecosystem makes it a frequent focal point for banking malware. Previous localized software, such as the Maverick trojan identified in 2024, included geographic restrictions that terminated the application if the device was located outside the country. The targeting of mobile platforms is part of a broader global trend; recent data from Zscaler indicates significant year-over-year increases in malware activity affecting Android and IoT devices across critical sectors, including manufacturing (111%), healthcare (224%), and energy (387%).

Infection Vectors and Social Engineering

The initial compromise relies on social engineering to bypass standard application store protections. Unauthorized parties distribute the malware through replica Google Play Store pages hosted on external domains. These pages impersonate trusted regional and global entities, such as the Brazilian postal service (Correios), the Superior Court of Justice (STJ), or the travel platform Expedia.

When users attempt to download these applications, they instead receive a malicious Android Package Kit (APK). Upon installation, the application presents an onboarding screen requesting the user to enable an Android accessibility service labeled "Enable Revolution." The prompt falsely assures the user that the permission is strictly for application functionality.

Once this accessibility service is enabled, the software gains comprehensive visibility into the device. It monitors all on-screen text, interface changes, audio inputs, and touch gestures.

The Interception Sequence

PixRevolution establishes a persistent transmission control protocol (TCP) connection to a command-and-control (C2) server over port 9000. It utilizes Android’s MediaProjection API to create a virtual display, capturing screen frames and streaming them to the remote operator with minimal latency.

The software operates silently in the background, continuously scanning on-screen text against a list of over 80 base64-encoded Portuguese phrases related to financial transactions. When it detects a keyword match indicating a pending Pix transfer, it alerts the C2 server.

At this exact moment, a human or AI operator actively monitoring the session intervenes:

  1. The malware generates a full-screen HTML overlay displaying "Aguarde…" (Please wait), temporarily obscuring the user's view.

  2. Using the findFocus and performAction commands, the software locates the active input field and overwrites the intended recipient's Pix key with one controlled by the unauthorized party.

  3. The software simulates a tap on the confirmation button by dynamically calculating the UI coordinates, completing the transfer.

  4. The overlay is removed, and the user is presented with a standard confirmation screen, unaware that the funds were redirected.

Defensive Strategies and Threat Visibility

PixRevolution demonstrates an evolution in mobile financial fraud by combining the technical persistence of traditional malware with the adaptability of real-time human or AI oversight. Because the software does not need to reverse-engineer specific banking applications or guess transaction timings, conventional automated defense mechanisms may not detect the interception.

Kern Smith, VP of global solutions engineering at Zimperium, notes that financial organizations must recognize that these risks originate directly on the user's device. When an application compromises the operating system's accessibility features, it can manipulate legitimate banking sessions while appearing as the authenticated user.

To protect users against this methodology, security teams and financial institutions should incorporate mobile threat visibility into their existing fraud detection and authentication workflows. By monitoring for indicators of device compromise—such as concurrent screen streaming or anomalous accessibility service behaviors—organizations can interrupt unauthorized sessions and flag compromised devices before a fraudulent transaction is finalized.

Sources & References