Cyber Incident Victim: NUBank
Date:
Mar 2023
Location:
Brazil
Summary
The NUBank incident involved the GoatRAT Android banking trojan exploiting Brazil's Pix instant payment system to conduct unauthorized automated money transfers from compromised accounts. The malware used accessibility services to detect targeted banking apps, deployed overlays to conceal malicious activity, and auto-filled transaction details while simulating clicks to confirm fraudulent payments. As part of a broader trend favoring automated transfer system frameworks, this trojan specifically stole Pix keys but lacked capabilities to intercept SMS or authentication codes seen in similar malware. The attack impacted multiple Brazilian financial institutions through covert transfer execution mechanisms.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In March 2023, researchers identified GoatRAT, an Android banking trojan targeting Brazilian financial institutions including NUBank, Banco Inter, and PagBank. The malware exploited Brazil’s Central Bank-operated Pix instant payment system by stealing victims' Pix keys to initiate unauthorized transfers. Operating as a remote administration tool repurposed for financial fraud, GoatRAT infected devices through malicious downloads, then monitored active applications using Android’s Accessibility Service. Upon detecting targeted banking apps like NUBank’s mobile application, the trojan deployed a fake overlay window mimicking legitimate interfaces to conceal its activity. It subsequently injected payment details—including transfer amounts and Pix keys—directly into the banking app’s transaction fields, followed by automated clicks on "Confirm" and "Pay" buttons to execute transfers. This streamlined four-step process focused exclusively on automated transfers, distinguishing it from other banking trojans by omitting capabilities like SMS interception or authentication code theft.

The incident impacted users of NUBank and other targeted institutions through unauthorized instant transfers from compromised accounts. Researchers observed GoatRAT leveraging an automatic transfer system (ATS) framework, part of a broader shift among Latin American threat actors toward financial malware capable of conducting end-to-end fraud without secondary theft mechanisms. The attack exemplified a six-month trend of increasingly sophisticated ATS-enabled trojans, coinciding with a 100% year-over-year surge in new mobile banking malware variants during 2022, reaching approximately 200,000 distinct samples. No specific mitigation actions by NUBank were detailed in available reporting, though researchers emphasized risks posed by trojans requiring minimal permissions to perpetrate fraud. Financial losses stemmed directly from fraudulent Pix transactions, with the malware removing its overlay post-transfer to avoid detection. The incident underscored threats to mobile banking ecosystems exploiting regional payment infrastructure vulnerabilities.
