Cyber Incident Victim: Banco Inter
Date:
Mar 2023
Location:
Brazil
Summary
The GoatRAT Android banking Trojan targeted Banco Inter and other Brazilian financial institutions by exploiting the Pix automated payment system to perform unauthorized instant transfers from compromised accounts. The malware used overlays to stealthily input transaction details and simulate confirmation clicks within legitimate banking apps, bypassing victim awareness while leveraging a simplified attack framework focused solely on automated fund theft. This incident reflects a broader trend of increasingly specialized mobile banking Trojans adopting automated transfer capabilities to streamline financial fraud.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The GoatRAT Android banking Trojan targeted Banco Inter, NUBank, and PagBank in Brazil around March 2023, exploiting the Central Bank of Brazil's Pix instant payment platform. Researchers from Cyble identified the malware as part of a six-month trend of automated transfer system (ATS) banking Trojans designed specifically for unauthorized fund transfers. GoatRAT originated as an Android remote administration tool repurposed for financial fraud, focusing exclusively on automated money movement without incorporating secondary capabilities like SMS interception or authentication code theft. The malware operated by compromising victims' Pix keys — unique identifiers enabling instant payments across Latin American banking systems. Its limited functionality underscored a shift toward specialized malware requiring fewer permissions to execute attacks. Banco Inter’s mobile banking application was among the confirmed targets, with the malware employing identical attack patterns against other financial institutions.
GoatRAT executed unauthorized transfers through a four-step process after infecting a device. It first abused Android's Accessibility Service to monitor the active application package name, confirming when a victim accessed Banco Inter’s legitimate app. Upon verification, the malware deployed a fake overlay window mimicking the banking interface to conceal its activities. This overlay facilitated automated input of transfer amounts and Pix keys directly into the legitimate app without user interaction. GoatRAT then triggered an automatic clicking mechanism to activate “Confirm” and “Pay” buttons within Banco Inter’s application, completing the fraudulent transfer. Post-transaction, the malware removed the overlay to eliminate visible traces. The attack exploited device permissions but did not require advanced capabilities beyond those typical in accessibility abuse. Researchers noted the incident reflected broader threats to automated payment ecosystems in Latin America, with mobile banking Trojan variants doubling in 2022 according to third-party analytics. Financial losses stemmed directly from unauthorized Pix transfers initiated through compromised devices.