GoatRAT Android Banking Trojan Targets Mobile Automated Payment System

  /     /     /  
Publicated : 23/11/2024   Category : security


GoatRAT Android Banking Trojan Targets Mobile Automated Payment System


The new malware was discovered targeting three banks in Brazil.



Another Android banking Trojan with the capability to make instant unauthorized money transfers is targeting Brazilian banks as part of a growing trend among threat actors to exploit a new automated payment system in Latin America.
The new GoatRAT — like BraxDex, Senomorphy, and
PixPirate
before it — steals the Pix key of the mobile devices it targets to make instant payments from compromised accounts, researchers from
Cyble revealed in a blog post
. Attackers behind GoatRAT use that key to access the Pix payment platform, created and operated by the Brazil Central Bank for users to make instant mobile payments across Latin America using a variety of banks.
So far, the Cyble researchers have observed the RAT — which they said was created first as an Android remote administration tool to take control over victims devices — targeting three Brazilian banks: NUBank, Banco Inter, and PagBank.
Making automated transfers appears to be the sole aim of the Trojan, which unlike similar malware doesnt include the ability to steal authentication codes or incoming SMS messages, according to the findings.
The malware is part of a growing trend by threat actors over the last six months to create more sophisticated banking malware that includes an automatic transfer system (ATS) framework, allowing attackers to conduct unauthorized money transfers on infected devices, the Cyble researchers wrote.
This new variant highlights that in the current technological landscape, there is an
elevated risk of cyber attacks
that do not require multiple permissions or many banking trojan functionalities to execute financial fraud, the report said.
Indeed, mobile banking
Trojan deployment overall is on the rise
, with nearly 200,000 new variants of this malware emerging in 2022, according to Kasperskys Mobile Threats in 2022 report. This number represents a 100% increase from the year before and the biggest acceleration of mobile malware development seen in the last six years.
GoatRAT typically uses a four-step process to perform automated transfers once it infects a users device. The researchers outlined the system used specifically for the Banco Inter mobile banking application; however, the Trojan also has incorporated similar functions to carry out automatic transfers for the other banking applications, such as NUBank and PagBank, that it targets, they said.
GoatRAT first abuses the Accessibility Service on an Android device to verify that the name of the active package matches one of a list of targeted application package names, and then deploys a further infection.
Once the targeted app is identified, the malware creates a fake banking overlay window that appears above the legitimate application to hide its malicious activity from the victim. This and another covert process allow the Trojan to enter an amount of money to transfer as well as the devices Pix key into the legitimate banking app without alerting the victim, the researchers said.
The malware also introduces an automatic clicking mechanism for the “Confirm” and “Pay” buttons of the legitimate banking app to complete the instant money transfer. Once this transfer is complete, it removes the overlay window from the top of the legitimate banking app and the malicious process is concluded.
Researchers made several security recommendations that go along with typical best practices for downloading and using mobile applications to keep devices free of infection from Trojans and other malware that not only can steal funds but also spread to enterprise networks through connected devices.
Mobile device users should only download and install software from official app stores like Google Play Store or the iOS App Store, and use a reputed antivirus and Internet security software package on all connected devices, including not only mobile but also on PCs and laptops, the researchers advised.
They also recommended users never share details for payment cards with untrusted sources and use strong passwords and enforce multifactor authentication (MFA) on mobile devices wherever possible. Further, implementing biometric security features such as fingerprint or facial recognition for unlocking their mobile devices wherever possible, is key, the researchers said.
Other commonsense security rules that researchers advised but which users often ignore are to keep devices, operating systems, and apps updated, and avoid opening links received via SMS or emails delivered to mobile devices. Users should take care when enabling any permissions on devices, and ensure that Google Play Protect is enabled on Android devices, the Cyble researchers added.

Last News

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
GoatRAT Android Banking Trojan Targets Mobile Automated Payment System