PagBank

PagBank is a Brazilian financial institution operating within the country's digital banking and instant payment ecosystem. The organization provides mobile banking services to its customers, with a significant integration into the Pix platform, Brazil's central bank-operated instant payment system. This integration allows for real-time fund transfers, a functionality that has become fundamental to daily financial transactions for millions of users in Brazil. As a participant in this national payment infrastructure, PagBank's services are directly accessible through its mobile application, which customers use for managing accounts and executing payments. The prominence of Pix in Brazil's financial landscape means that any institution offering this service becomes a potential target for cybercriminals seeking to exploit the system's speed and widespread adoption for fraudulent activities.

The operational context of PagBank was notably defined by a sophisticated cyber incident in March 2023 involving the GoatRAT Android banking trojan. This malware specifically targeted the mobile banking applications of PagBank and other Brazilian financial institutions to perpetrate fraud through the Pix system. The attack vector exploited the Android Accessibility Services, a legitimate feature designed to assist users with disabilities, to deploy overlay attacks. These overlays mimicked legitimate banking app interfaces, tricking the device into automatically injecting transaction details and Pix keys while simulating user taps to authorize payments without the victim's knowledge. A distinguishing characteristic of this campaign was its exclusive focus on automating fraudulent fund transfers via Pix, rather than the more common objectives of stealing SMS messages or login credentials. This incident underscores PagBank's position within a high-threat environment where mobile banking platforms are continuously targeted by malware families that incorporate Automated Transfer Systems (ATS) to directly manipulate payment workflows. The event reflects a broader trend of escalating mobile banking threats in Brazil, leveraging the nation's reliance on instant payment systems to conduct large-scale, automated financial fraud against multiple institutions simultaneously.