Six Android Malware Families Target Pix Payments, Banking Apps, and Crypto Wallets

What happened

Cybersecurity researchers have identified six Android malware families designed to steal financial data and conduct fraud on infected devices. The malware includes PixRevolution, TaxiSpy RAT, BeatBanker, Mirax, Oblivion RAT, and SURXRAT, and is capable of abusing Android accessibility services to monitor activity, capture sensitive data, and manipulate financial transactions. One strain, PixRevolution, specifically targets Brazil’s Pix instant payment system and can hijack transactions in real time by redirecting transfers to attacker-controlled accounts. 

Researchers noted that the malware can remain dormant until a victim initiates a Pix transaction, allowing attackers to intercept the payment at the moment it is made. In addition to Pix transfers, the malware families can target banking applications and cryptocurrency wallets installed on infected Android devices. 

Who is affected

The campaign primarily targets Android users, particularly those using financial apps and Brazil’s Pix instant payment platform. Organizations with employees using personal or unmanaged Android devices for banking, payments, or crypto transactions may also face indirect risk if compromised devices are connected to corporate environments. 

Why CISOs should care

The campaign highlights the growing sophistication of mobile financial malware and its ability to exploit legitimate system features like Android accessibility services. For enterprises, compromised employee devices can expose corporate credentials, enable financial fraud, or create entry points into enterprise systems. As mobile devices increasingly handle financial transactions and authentication workflows, they are becoming a key attack vector. 

3 practical actions

1. Strengthen mobile device security controls: Implement mobile device management (MDM) or mobile threat defense solutions to detect malicious apps and restrict high-risk permissions such as accessibility service abuse.
2. Limit financial activity on unmanaged devices: Restrict access to corporate banking, payment systems, or crypto platforms from unmanaged mobile devices and enforce strong authentication.
3. Educate employees about mobile malware risks: Train staff to install apps only from trusted sources and to review requested permissions carefully, especially accessibility privileges often abused by banking malware.