Another Android banking Trojan with the capability to make instant unauthorized money transfers is targeting Brazilian banks as part of a growing trend among threat actors to exploit a new automated payment system in Latin America.
The new GoatRAT — like BraxDex, Senomorphy, and PixPirate before it — steals the Pix key of the mobile devices it targets to make instant payments from compromised accounts, researchers from Cyble revealed in a blog post. Attackers behind GoatRAT use that key to access the Pix payment platform, created and operated by the Brazil Central Bank for users to make instant mobile payments across Latin America using a variety of banks.
So far, the Cyble researchers have observed the RAT — which they said was created first as an Android remote administration tool to take control over victims' devices — targeting three Brazilian banks: NUBank, Banco Inter, and PagBank.
Making automated transfers appears to be the sole aim of the Trojan, which unlike similar malware doesn't include the ability to steal authentication codes or incoming SMS messages, according to the findings.
The malware is part of a growing trend by threat actors over the last six months to create more sophisticated banking malware that includes an automatic transfer system (ATS) framework, "allowing attackers to conduct unauthorized money transfers on infected devices," the Cyble researchers wrote.
"This new variant highlights that in the current technological landscape, there is an elevated risk of cyber attacks that do not require multiple permissions or many banking trojan functionalities to execute financial fraud," the report said.
Indeed, mobile banking Trojan deployment overall is on the rise, with nearly 200,000 new variants of this malware emerging in 2022, according to Kaspersky's "Mobile Threats in 2022" report. This number represents a 100% increase from the year before and the biggest acceleration of mobile malware development seen in the last six years.
How GoatRAT Makes Instant Transfers
GoatRAT typically uses a four-step process to perform automated transfers once it infects a user's device. The researchers outlined the system used specifically for the Banco Inter mobile banking application; however, the Trojan also has incorporated similar functions to carry out automatic transfers for the other banking applications, such as NUBank and PagBank, that it targets, they said.
GoatRAT first abuses the Accessibility Service on an Android device to verify that the name of the active package matches one of a list of targeted application package names, and then deploys a further infection.
Once the targeted app is identified, the malware creates a fake banking overlay window that appears above the legitimate application to hide its malicious activity from the victim. This and another covert process allow the Trojan to enter an amount of money to transfer as well as the device's Pix key into the legitimate banking app without alerting the victim, the researchers said.
The malware also introduces an automatic clicking mechanism for the “Confirm” and “Pay” buttons of the legitimate banking app to complete the instant money transfer. Once this transfer is complete, it removes the overlay window from the top of the legitimate banking app and the malicious process is concluded.
Defending Against ATS Trojans
Researchers made several security recommendations that go along with typical best practices for downloading and using mobile applications to keep devices free of infection from Trojans and other malware that not only can steal funds but also spread to enterprise networks through connected devices.
Mobile device users should only download and install software from official app stores like Google Play Store or the iOS App Store, and use a reputed antivirus and Internet security software package on all connected devices, including not only mobile but also on PCs and laptops, the researchers advised.
They also recommended users never share details for payment cards with untrusted sources and use strong passwords and enforce multifactor authentication (MFA) on mobile devices wherever possible. Further, implementing biometric security features such as fingerprint or facial recognition for unlocking their mobile devices wherever possible, is key, the researchers said.
Other commonsense security rules that researchers advised but which users often ignore are to keep devices, operating systems, and apps updated, and avoid opening links received via SMS or emails delivered to mobile devices. Users should take care when enabling any permissions on devices, and ensure that Google Play Protect is enabled on Android devices, the Cyble researchers added.