The Android threat that monitors the screen steals transfers and takes full control

A clear example is the family named PixRevolution, analyzed by Zimperium. This malware has focused on Brazil and its main goal is the Pix instant payment platform. Instead of just stealing credentials, wait for the exact moment when the victim starts a transfer, captures the screen and replaces the "Pix key" of the beneficiary with that of the attacker, all while showing a false load screen so the victim doesn't suspect. Since transfers via Pix are instant and definitive, money recovery is often extremely complicated. More technical details can be found in the Zimperium report and the official documentation on Pix of the Central Bank of Brazil: Zimperium - PixRevolution and Banco Central do Brasil - Pix.

Another worrying family found in Brazil is BeatBanker. Kaspersky researchers show that its distribution is based on pages that mimic the application store to deceive victims. BeatBanker combines several capabilities: a mining component of cryptomonedas, a banking module with overlay that replaces destination addresses in transfers (e.g. USDT) and unorthodox mechanisms to remain active in the system. It surprises its persistence trick: it reproduces an almost inaudible audio file in loop to make it difficult for the operating system to kill its process. Kaspersky's analysis describes these behaviors and the defenses that the sample uses: Kaspersky - BeatBanker.

In the same line of hybrid threats, there is axiSpy RAT, which combines the usurpation of interfaces (overlay) with complete monitoring of the device. This family abuses accessibility services and the Screenshot API to collect SMS messages, call records, contacts, clipboard content, lock patterns and even key clicks. It also incorporates avoidance techniques, native bookkeeping encryption and VNC-type remote control over WebSocket. Reports from CYFIRMA and other firms collect samples and signs that the authors seek to evade signatures and black lists: CYFIRMA - TaxiSpy and Zimperium - IOCs TaxiSpy.

In addition to private families, the criminal ecosystem is organized commercially. There are products that are offered in the form of subscription or single payment and make these capabilities available to buyers with little technical knowledge. Mirax, for example, has been promoted as a private service with bank overlay, press registration and SOCKS5 proxy, at prices that have been disclosed in forums. Another recent case is Oblivion, a RAT that is sold with the promise to remove protections from mobile manufacturers and automate the granting of permissions in custom Android layers (Samsung, Xiaomi, OPPO, etc.). These developments were detected and discussed by analysts and publications following the sale of these threats: publication about Mirax and analysis of Olivion by Certo.

An additional commercial vector is SURXRAT, distributed through channels in Telegram and considered an evolution of previous families. SURXRAT makes use of accessibility permits and Firebase-based infrastructure for communication with its operators. The most disturbing thing: some copies download a large language model (LLM) module under very specific conditions - for example, when they detect that the victim has certain games installed - and also include "locker" modules that block the screen by asking for rescue. The Cyble report examines these emerging capabilities and suggests that attackers are testing to integrate IA into their tools: Cyble - SURXRAT and LLM.

How do these threats get on the phone? The attacks combine social and technical techniques: pages that simulate the official store, APKS "dropper" to force the installation off Google Play, requests for accessibility permits that facilitate full control, legitimate APIs like MediaProjection to capture screen and services like Firebase to receive remote orders. With these ingredients, attackers can view the screen in real time, superpose false views to modify the displayed information and run remote commands.

The technological evolution of malware also involves improvements in its engineering to avoid analysis: native library encryption, chain opuscation, emulated environment checks, and persistence mechanisms that make it difficult to remove. Worse still, the "malware as service" model lowers the input barrier: anyone with resources can rent or buy these tools and launch targeted campaigns.

Against this background, there are practical measures that anyone can immediately implement to reduce the risk. Do not download applications from suspicious pages or links; always prefer the official store and check the developer's reputation. Do not grant accessibility permits to applications that do not expressly require it and regularly review what apps have that privilege. Keep the operating system and applications up to date, activate the Google Play Protect protections and use additional authentication (bank notifications, operating codes, 2FA) for bank transactions. If there is doubt about a transfer, contact the financial institution immediately: in instant operations like Pix time is essential. For more guidance on Google Play protections, see the Play Protect documentation: Google Play Protect.

The emergence of IA-based components within malicious packages is a warning: attackers experience new ways to automate interaction with the victim, adapt attacks and evade detections. This means not only greater technical sophistication, but also the need for defenses and regulation to move forward at the same pace. Meanwhile, the best vaccine remains user prudence and a quick response to any signs of suspicious activity.

If you think your device has been compromised, disconnect it from networks, switch passwords from another secure team and contact your bank to block operations. Reporting the incident to local authorities and security services helps to map and stop these campaigns. The threat grows and is professionalized, but with prevention and rapid reaction the damage can be minimized.