Cybersecurity researchers have discovered half-a-dozen new Android malware families that come with capabilities to steal data from compromised devices and conduct financial fraud.
The Android malware range from traditional banking trojans like PixRevolution, TaxiSpy RAT, BeatBanker, Mirax, and Oblivion RAT to full-fledged remote administration tools such as SURXRAT.
PixRevolution, according to Zimperium, targets Brazil’s Pix instant payment platform, hijacking victims’ money transfers in real-time to route them to the threat actors instead of the intended payee.
“This new strain of malware operates stealthily within the device until the moment the victim initiates a Pix transfer,” security researcher Aazim Yaswant said. “What distinguishes this threat from conventional banking trojans is its fundamental design: a human or AI agent operator is actively engaged on the remote end, observing the victim’s phone screen instantaneously, poised to act at the precise moment of transaction.”
The Android malware propagates via fake Google Play Store app listing pages for apps like Expedia, Sicredi, and Correios to trick users into installing the malicious dropper APK files. Once installed, the apps urge users to enable accessibility services to realize their goals.
It also connects to an external server over TCP on port 9000 to send periodic heartbeat messages containing device information and activate real-time screen capture using Android’s MediaProjection API. The main functionality of PixRevolution, though, is the monitoring of the victim’s screen and serving a fake overlay as soon as a victim enters the desired amount and the Pix key of the recipient to initiate the payment.
At that point, the trojan shows a fake WebView overlay that says “Aguarde…” (meaning “wait” in Portuguese/Spanish), while, in the background, it edits the Pix key with that of the attacker’s to complete the funds transfer. In the final stage, the overlay is removed, and the victim is displayed a “transfer complete” confirmation screen in the Pix app.
“From the victim’s perspective, nothing unusual happened,” Yaswant said. “The app briefly showed a loading indicator, something that occurs routinely during legitimate banking operations. The transfer was confirmed successfully. The amount they intended to send was deducted from their account.”
“It is only later, sometimes much later, that the victim discovers the money went to the wrong account. And because Pix transfers are instant and final, recovery is extraordinarily difficult.”
Brazilian users have also become the target of another Android‑based malware campaign called BeatBanker, which spreads primarily through phishing attacks via a website disguised as the Google Play Store. BeatBanker gets its name from the use of an unusual persistence mechanism that involves playing an almost inaudible audio file, a 5-second recording featuring Chinese words, on a loop to prevent it from being terminated.
Besides incorporating runtime checks for emulated or analysis environments, the malware monitors battery temperature and percentage, and verifies whether the user is using the device to start or stop the Monero miner as required. It uses Google’s Firebase Cloud Messaging (FCM) for command‑and‑control (C2).
“To achieve their goals, the malicious APKs carry multiple components, including a cryptocurrency miner and a banking trojan capable of completely hijacking the device and spoofing screens, among other things,” Kaspersky said. “When the user tries to make a USDT transaction, BeatBanker creates overlay pages for Binance and Trust Wallet, covertly replacing the destination address with the threat actor’s transfer address.”
The banking module also monitors web browsers like Chrome, Edge, Firefox, Brave, Opera, DuckDuckGo, Dolphin Browser, and sBrowser to URLs accessed by the victim. In addition, it supports the ability to receive a long list of commands from the server to collect personal information and gain complete control of the device.
Recent iterations of the campaign have been found to drop BTMOB RAT instead of the banking module. It provides operators with comprehensive remote control, persistent access, and surveillance over compromised devices. BTMOB is assessed to be an evolution of CraxsRAT, CypherRAT, and SpySolr families, all of which have been linked to a Syrian threat actor who goes by the online alias EVLF.
“We also saw the distribution and sale of leaked BTMOB source code on some dark web forums,” the Russian security vendor said. “This may suggest that the creator of BeatBanker acquired BTMOB from its original author or the source of the leak and is utilizing it as the final payload.”
TaxiSpy RAT, similar to PixRevolution, abuses Android’s accessibility service and MediaProjection APIs to collect SMS messages, contacts, call logs, clipboard contents, installed apps list, notifications, lock screen PINs, and keystrokes, as well as target Russian banking, cryptocurrency, and government apps by serving overlays to conduct credential theft.
The malware combines traditional banking trojan functionality with full RAT capabilities, enabling threat actors to gather sensitive data and execute commands sent via Firebase push messages. Several TaxiSpy samples have been discovered by both CYFIRMA and Zimperium, indicating active efforts on the part of attackers to evade signature-based detection and blacklist defenses.
“The malware leverages advanced evasion techniques, such as native library encryption, rolling XOR string obfuscation, and real-time VNC-like remote control via WebSocket,” CYFIRMA said. “Its design allows comprehensive device surveillance, including SMS, call logs, contacts, notifications, and banking app monitoring, highlighting its financially motivated and region-specific focus.”
Another Android banking trojan of note is Mirax, which has been advertised by a threat actor named Mirax Bot as a private malware-as-a-service (MaaS) offering for a monthly price of $2,500 for a full version or $1,750 for a light variant. Mirax claims to offer banking overlays, information gathering (e.g., keystrokes, SMS, lock patterns), and a SOCKS5 proxy to route malicious traffic through compromised devices.
Mirax is not the only Android MaaS offering detected in recent months. A new Android remote access trojan called Oblivion is being sold for around $300 per month (or $1,900 per year and $2,200 for lifetime access) and claims to bypass detection and security features on devices from major manufacturers.
Once installed, the malware employs an automated permission-granting mechanism that requires no interaction from the victim. This approach, per the seller, works across MIUI / HyperOS (Xiaomi), One UI (Samsung), ColorOS (OPPO), MagicOS (Honor), and OxygenOS (OnePlus).
“What sets it apart isn’t any single feature. It’s the combination: automated permission bypass, hidden remote control, deep persistence, and a point-and-click builder that puts all of it within reach of would-be hackers with even the most minimal level of technical skill,” Certos said.
“Google has made progressive restrictions on accessibility service abuse a priority across successive Android versions. A tool that credibly bypasses those protections on the latest release – and does so across devices from Samsung, Xiaomi, OPPO, and others – represents a genuine challenge to platform-level defenses.”
Also commercially distributed through a Telegram-based MaaS ecosystem is an Android malware family called SURXRAT, which is assessed to be an improved version of Arsink. The malware abuses accessibility permissions for persistent control and communicates with a Firebase-based C2 infrastructure to commandeer infected devices. The malware is marketed on a Telegram channel managed by an Indonesian threat actor.
What’s notable about some of the new samples is the presence of a large language model (LLM) component, indicating that the threat actors behind the malware are experimenting with artificial intelligence (AI) capabilities, along with traditional surveillance. That said, the download of the LLM module is triggered only when specific gaming applications are active on the victim’s device, or when it receives alternative target package names dynamically from the server –
- Free Fire MAX x JUJUTSU KAISEN (com.dts.freefiremax)
- Free Fire x JUJUTSU KAISEN (com.dts.freefireth)
Select SURXRAT samples also incorporate a ransomware-style screen locker module that makes it possible for a remote operator to hijack control of a victim’s device and deny access by displaying a full-screen lock message until a payment is made.
“This evolution highlights how existing Android RAT frameworks continue to be repurposed and expanded by threat actors, accelerating malware development cycles and enabling rapid introduction of new surveillance and control functionalities,” Cyble said. “The observed experimentation with large AI model integration further indicates that threat actors are actively exploring emerging technologies to enhance operational effectiveness and evade detection.”
