Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
Malware

PixRevolution

PixRevolution is an Android banking Trojan targeting Brazil’s Pix instant payment system. It is distributed via fake Google Play Store pages hosted on attacker-controlled domains that impersonate brands and services including Expedia, Sicredi, and Correios/Brazilian post office, leading victims to download a malicious APK. The malware prompts users to enable a fraudulent Android accessibility service named "Enable Revolution," after which it can control taps and swipes, read on-screen text, and capture audio via the microphone. It also uses Android’s MediaProjection API for near real-time screen capture and communicates with command-and-control infrastructure over TCP port 9000, including periodic heartbeat messages with device information. PixRevolution monitors the screen for more than 80 Portuguese keywords related to banking transfers and remains relatively stealthy until a victim initiates a Pix payment. At that moment, a human or AI-assisted operator can observe the live screen and hijack the transaction in real time, displaying a fake HTML/WebView overlay with the message "Aguarde..." while replacing the intended recipient Pix key with an attacker-controlled key and routing funds to the threat actor instead of the intended payee. Reports state the malware implicitly targets most Brazilian financial institutions rather than a fixed list of banking apps. It has been described by Zimperium as a novel banking Trojan and is part of a broader active Brazilian Android threat landscape. The campaign targets Brazilian mobile banking users and abuses the country’s highly adopted Pix ecosystem, where transfers are instant and final, making recovery difficult.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
MITRE ATT&CK

Techniques & procedures

9 distinct techniques documented for this family, organized by ATT&CK tactic.

Execution

2 techniques
T1204.002Malicious FileEvidence1

when someone who stumbles on such a page attempts to download an app from the official Play Store, they instead download a malicious Android package kit (APK) file.

T1648Serverless ExecutionEvidence1

"Once installed, the apps urge users to enable accessibility services to realize their goals."; "TaxiSpy RAT... abuses Android's accessibility service..."; "The malware abuses accessibility permissions for persistent control"

Persistence

1 technique
T1546Event Triggered ExecutionEvidence1

That APK file registers a new Android accessibility option called 'Enable Revolution'... when they do that, the Trojan completely takes over the device. It has access to taps, swipes, all on-screen text, and all audio that reaches the microphone.

Privilege Escalation

1 technique
T1546Event Triggered ExecutionEvidence1

That APK file registers a new Android accessibility option called 'Enable Revolution'... when they do that, the Trojan completely takes over the device. It has access to taps, swipes, all on-screen text, and all audio that reaches the microphone.

Credential Access

1 technique
T1056Input CaptureEvidence1

It has access to taps, swipes, all on-screen text, and all audio that reaches the microphone. | the attacker puts up an HTML overlay telling them to please wait (Aguarde…) while the hijack takes place behind the scenes.

Collection

4 techniques
T1056Input CaptureEvidence1

It has access to taps, swipes, all on-screen text, and all audio that reaches the microphone. | the attacker puts up an HTML overlay telling them to please wait (Aguarde…) while the hijack takes place behind the scenes.

T1113Screen CaptureEvidence1

The Trojan also establishes a command-and-control (C2) server through port 9000 and gives the operator access to real-time screen capture with little delay.

T1123Audio CaptureEvidence1

It has access to taps, swipes, all on-screen text, and all audio that reaches the microphone.

T1185Browser Session HijackingEvidence1

When malware compromises the device, attackers can intercept authentication codes or manipulate legitimate banking sessions while appearing to be the real user.

Command and Control

2 techniques
T1071Application Layer ProtocolEvidence1

The Trojan also establishes a command-and-control (C2) server through port 9000 and gives the operator access to real-time screen capture with little delay.

T1571Non-Standard PortEvidence1

"It also connects to an external server over TCP on port 9000 to send periodic heartbeat messages containing device information"

ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app
the hacker newsNews
Mar 20, 2026
Google Adds 24-Hour Wait for Unverified App Sideloading to Reduce Malware and Scams

Named as one of 17 Android malware families detected in the wild over four months.

Read more
dark readingNews
Mar 13, 2026
Real-Time Banking Trojan Strikes Brazil's Pix Users

An Android banking Trojan targeting Brazil's Pix mobile payment system. It uses fake app download pages and abused accessibility permissions to take over devices, monitor screens in real time, and hijack Pix transfers by diverting payments during live transactions.

Read more
breakglass intelNews
Mar 12, 2026
SpyAgent Trojan Impersonates Brazilian Loyalty App With Chinese-Signed Dropper - Breakglass Intelligence - Breakglass Intelligence

Android malware/tooling referenced as performing real-time PIX payment hijacking in Brazil.

Read more
the hacker newsNews
Mar 12, 2026
Six Android Malware Families Target Pix Payments, Banking Apps, and Crypto Wallets

Android banking trojan targeting Brazil’s Pix instant payment system; uses accessibility abuse, real-time screen monitoring/capture and overlays to swap the recipient Pix key during transfers and redirect funds.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping9

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.