A new Android banking Trojan called PixPirate is targeting more than 100 million Brazilian Pix instant payment accounts.

The Pix payment platform was created and is operated by the Brazil Central Bank, and it’s used to make instant mobile payments across Latin America using a variety of banks.

Researchers with the Cleafy TIR Team — who have been tracking the PixPirate Brazilian banking Trojan since late 2022 — released a report this week detailing PixPirate’s intention to steal credentials and deploy its noteworthy automatic transfer system (ATS) used to make automatic fraudulent money transfers. Additionally, by abusing accessibility services, PixPirate also has the flexibility to steal credentials and launch ATS attacks across multiple bank user interfaces using the Pix platform.

The malware also can intercept and delete SMS messages, push malvertising efforts, and contains code protection that attempts to evade detection, the report said.

“PixPirate represents one of the emerging malware that will try and leverage the double edge blade mechanism related to instant payments,” the Cleafy team added. “The introduction of ATS capabilities paired with frameworks that will help the development of mobile applications, using flexible and more widespread languages (lowering the learning curve and development time), could lead to more sophisticated malware that, in the future, could be compared with their workstation counterparts.”