Zimperium zLabs published research on March 11 detailing a new Android banking trojan called PixRevolution that specifically targets Brazil's Pix instant payment infrastructure. The malware introduces what researchers describe as an agent-in-the-loop attack model, in which a human or artificial intelligence operator monitors an infected device's screen in real time and intervenes at the precise moment a victim initiates a Pix transfer.
The trojan is distributed through fraudulent download pages designed to resemble the official Google Play Store, impersonating trusted brands including Expedia, the Brazilian postal service Correios, and financial institutions such as Sicredi and XP Investimentos. Once installed, the application requests accessibility service permissions through convincing onboarding screens that falsely claim the permissions are needed for core functionality.
With accessibility access granted, PixRevolution uses Android's MediaProjection API to capture and stream the device screen continuously to command-and-control servers. The malware monitors over 80 Portuguese-language financial transaction phrases encoded in base64 to evade string scanning. When a victim initiates a Pix transfer, the operator observes the screen live and triggers the attack sequence. A fake loading overlay displaying the word Aguarde, meaning wait in Portuguese, appears while the malware replaces the recipient's Pix key with an attacker-controlled account and simulates the confirmation tap.
What distinguishes PixRevolution from traditional banking trojans is its bank-agnostic design. The malware contains no hardcoded list of target banking applications. Instead, it monitors all applications for transaction indicators using accessibility tree queries, making it effective across any Brazilian financial platform that processes Pix payments. The trojan dynamically locates interface elements rather than relying on fixed screen coordinates, allowing it to function across different devices and app versions.
The threat is amplified by the scale and finality of Pix. With over 150 million registered users and more than three billion transactions processed monthly, even a modest success rate could result in significant financial losses. Because Pix transfers settle instantly and cannot be reversed, victims typically discover the theft only after checking their transaction history, by which time recovery is extremely difficult.
The research highlights an evolution in mobile payment fraud from fully automated scripts to operator-assisted attacks that can adapt to different banking interfaces in real time. This represents a meaningful escalation in the sophistication of threats targeting instant payment systems globally.