Zimperium zLabs Uncovers PixRevolution Android Trojan Hijacking Brazil’s PIX Payments in Real Time

WHY THIS MATTERS: The emergence of the PixRevolution banking trojan marks a significant escalation in the cyber threat landscape targeting instant payments infrastructure globally. This discovery is a stark reminder that as real-time payment rails—like Brazil’s PIX—become central to economic activity, they become prime targets for sophisticated attack models. The trojan’s operator-driven approach, which involves live screen monitoring and human (or AI-assisted) intervention, bypasses many of the behavioral and pattern-based fraud detection systems currently deployed by financial institutions. This shift from automated scripts to real-time, surveillance-based hijacking of transactions exploits a core vulnerability of faster payments: their irreversibility. For every financial institution, this news signals an urgent need to re-evaluate their defense strategy, focusing on advanced mobile threat detection that can spot the manipulation of accessibility services and screen streaming, rather than just traditional credential theft.

Zimperium, the world leader in AI-empowered mobile security, announced new research from its zLabs threat intelligence team uncovering PixRevolution, a sophisticated Android banking trojan designed to hijack Brazil’s widely used PIX instant payment system in real time. 

PixRevolution represents a significant evolution in mobile financial malware. Unlike traditional banking trojans that rely heavily on automated overlays or credential theft, PixRevolution introduces an agent-operated attack model in which a human or AI operator monitors an infected device’s screen live and intervenes at the precise moment a victim initiates a PIX transfer.

Once installed, the malware silently waits until a user begins a transaction. When the victim enters the payment details and confirms the transfer, PixRevolution briefly displays a loading screen while secretly replacing the recipient’s PIX key with one controlled by the attacker. The transaction then completes normally from the user’s perspective — but the funds are instantly redirected to the attacker’s account. 

“PixRevolution highlights how mobile financial malware is evolving toward real-time, operator-driven attacks,” said Nicolás Chiaraviglio, Chief Scientist at Zimperium. “Instead of relying solely on automated scripts, attackers are now leveraging live device visibility to intervene at exactly the right moment. This approach allows the malware to bypass many traditional detection methods and makes instant payment systems an especially attractive target.”

The malware spreads through fake app store pages designed to mimic legitimate listings, tricking users into downloading malicious Android applications disguised as trusted services. Once installed, the app requests accessibility permissions under the guise of enabling functionality. In reality, this permission grants the trojan full visibility into on-screen activity and allows it to manipulate user interactions.

PixRevolution also captures and streams the victim’s screen to a remote command-and-control server using Android’s MediaProjection API. This enables attackers to monitor financial activity in real time and inject commands that overwrite transaction details moments before the payment is confirmed. 

The threat is particularly concerning given the scale of the PIX ecosystem. Launched by Brazil’s central bank in 2020, PIX now processes billions of transactions each month and is used by the majority of the country’s population. Because PIX transfers are instant and irreversible, fraudulent transactions are extremely difficult to recover once completed.

Zimperium researchers warn that the operational model behind PixRevolution, combining screen surveillance, accessibility abuse, and operator-controlled transaction manipulation, could easily extend beyond Brazil to other global instant payment systems.

FF NEWS TAKE: This sophisticated threat moves the needle dramatically by exposing a critical weakness in relying on traditional anti-fraud measures in the age of mobile financial services. Since this operator-controlled model can be easily adapted to other global instant payment schemes, it elevates the risk profile for banks and regulators worldwide. We must watch for an immediate industry pivot toward securing the mobile endpoint itself. Specifically, future focus must be on zero-trust architectures for mobile transaction flows and real-time behavioral biometrics to flag unauthorized screen access.