The newly identified PixPirate campaign also includes a new version of the downloader, which includes a link to a YouTube video that explains and demonstrates to the target victim how to unknowingly install the droppee Android package kit (APK) and grant all the necessary permissions and capabilities in order to fully execute on the victim’s device. The YouTube video simulates a legit tutorial video explaining to the user how to install a legitimate financial service app, and to date has more than 78,000 views providing some scope of the infection’s reach, assuming every YouTube viewer has followed through and unknowingly installed the PixPirate malware.

In the video, a user launches the downloader app for the first time, which simulates being a legitimate financial services application. The PixPirate downloader then asks the user to install an updated version of itself. Once the installation is complete, the victim has actually installed a new malicious application, rather than simply upgrading the downloader. This new app – the droppee app – is in fact the PixPirate malware. The PixPirate malware then remains incognito to the user by having no icon on the home screen of the infected device.

As discussed in the previous PixPirate blog, remaining incognito to the user has many advantages, including giving the PixPirate malware a better chance to sustain a long infection period with the ability to conduct financial fraud. However, this also introduces a problem – without an icon, the victim cannot “start” or activate the malware manually, so who will do it? That’s where the PixPirate downloader comes back into play, as the resource that is responsible for running the malware. The previous Trusteer blog post described the innovative way the PixPirate downloader ran the droppee, but in this current campaign, Trusteer has detected a new way the downloader executes the malware, as described in the next section.