New research from Zimperium’s zLabs threat intelligence team has uncovered Pixrevolution, a sophisticated Android banking trojan designed to hijack Brazil’s widely used PIX instant payment system in real time.
According to Zimperium, Pixrevolution represents a significant evolution in mobile financial malware. Unlike traditional banking trojans that rely heavily on automated overlays or credential theft, Pixrevolution introduces an agent-operated attack model in which a human or AI operator monitors an infected device’s screen live and intervenes at the precise moment a victim initiates a PIX transfer.
Once installed, the malware silently waits until a user begins a transaction. When the victim enters the payment details and confirms the transfer, Pixrevolution briefly displays a loading screen while secretly replacing the recipient’s PIX key with one controlled by the attacker. The transaction then completes normally from the user’s perspective — but the funds are instantly redirected to the attacker’s account.
“Pixrevolution highlights how mobile financial malware is evolving toward real-time, operator-driven attacks,” said Nicolás Chiaraviglio, Chief Scientist at Zimperium. “Instead of relying solely on automated scripts, attackers are now leveraging live device visibility to intervene at exactly the right moment. This approach allows the malware to bypass many traditional detection methods and makes instant payment systems an especially attractive target.”
The malware spreads through fake app store pages designed to mimic legitimate listings, tricking users into downloading malicious Android applications disguised as trusted services. Once installed, the app requests accessibility permissions under the guise of enabling functionality. In reality, this permission grants the trojan full visibility into on-screen activity and allows it to manipulate user interactions.
Pixrevolution also captures and streams the victim’s screen to a remote command-and-control server using Android’s Mediaprojection API. This enables attackers to monitor financial activity in real time and inject commands that overwrite transaction details moments before the payment is confirmed.
The threat is particularly concerning given the scale of the PIX ecosystem. Launched by Brazil’s central bank in 2020, PIX now processes billions of transactions each month and is used by the majority of the country’s population. Because PIX transfers are instant and irreversible, fraudulent transactions are extremely difficult to recover once completed.
Zimperium researchers warn that the operational model behind Pixrevolution, combining screen surveillance, accessibility abuse, and operator-controlled transaction manipulation, could easily extend beyond Brazil to other global instant payment systems.
