GoatRAT: Android Banking Trojan Variant Targeting Brazilian Banks

Latest GoatRAT variant implements ATS Framework

Over the last six months, several Android Banking Trojans, including BrasDex, Xenomorph, and PixPirate, have incorporated an Automatic Transfer System (ATS) framework, allowing attackers to conduct unauthorized money transfers on infected devices. Like these sophisticated malware variants, Cyble Research & Intelligence Labs (CRIL) observed a new banking Trojan that utilizes the ATS framework to execute fraudulent transactions.

Recently, CRIL identified a malicious shortened URL hxxps[://]bit[.]ly/nubankmodulo – which redirects users to the GoatRAT URL –hxxps://goatrat[.]com/apks/apk20.apk. This website hosts Android malware, and the downloaded APK file is named “apk20.apk,” which pretends to be associated with a Brazilian bank known as NU bank.

Upon analyzing the malicious APK file, we discovered that the malware uses the certificate “38661ea0b53f278f620a3f2c8db6da8ef8ca890e”, which is also found in other malicious applications related to GoatRAT. Furthermore, the domain hxxps[://]goatrat[.]com, from which the APK is downloaded, serves as the administrative panel for GoatRAT, as depicted below.

Figure 1 – GoatRAT admin panel

GoatRAT was originally created as an Android Remote Administration Tool to seize control of a victim’s device. However, a new version of GoatRAT functions as a Banking Trojan, specifically aimed at Brazilian banks.

Like other types of Banking Trojans, GoatRAT utilizes the Accessibility service to implement an Automatic Transfer System (ATS) framework, which enables the transfer of money from the victim’s account using the PIX key. The PIX key is used to perform the instant payment. This malware currently targets three Brazilian banks: NUBank, Banco Inter, and PagBank.

Technical Analysis 

APK Metadata Information  

  • App Name: Módulo de Segurança
  • Package Name: com.goatmw
  • SHA256 Hash: 6583a9b6b83738e0bf2a261fc04483e18772da3241e467fdef37a8e27b1869a7


The below figure shows the metadata information of the application. 

Figure 2 – Application metadata information

Once installed, the malware initiates a service named “Server,” which establishes contact with the Command and Control (C&C) server to obtain the PIX Key required to carry out fraudulent transactions. The following image illustrates this process.

Figure 3 – Sending request to receive PIX Key

The malware requests the victim to allow Accessibility service and overlay permission. Once granted, the malware exploits these permissions to execute Automatic Transfer System (ATS) and creates an overlay on the specific banking application being targeted.

Figure 4 – Prompting victim to grant permissions

Automated Transfer System (ATS) Implementation

The malware employs a four-step sequence to perform ATS, as illustrated in the accompanying image.

Figure 5 – ATS framework flow

Checking the targeted application’s package name

The malware misuses the Accessibility Service to verify that the name of the active package matches one of the targeted application package names listed below and starts a further infection, as shown in Figure 6.

  • br.com.intermedium
    • com.nu.production
    • br.com.uol.ps.myaccount
Figure 6 – Checking target banking application package name

Creating an overlay window on a targeted banking application

After identifying the targeted application, the malware creates a fake banking overlay window that appears above the legitimate application, concealing its malicious actions from the victim. The figure below depicts the code used to add an overlay window.

Figure 7 – Adding an overlay window on the targeted application

Performing ATS

The malware saves the data related to Accessibility nodes in an iterable variable and utilizes the getText() function to extract text from the targeted application. This enables the malware to covertly enter the amount to transfer and PIX key into the legitimate application without alerting the victim.

Initially, the malware checks for the specific text string “CPF, CNPJ, celular, e-mail ou aleatória”, indicating that the genuine application is anticipating the entry of the PIX key. After detecting this, the malware retrieves the PIX key using the getPIX() function and then inserts it into the designated field, as shown in the figure below.

Figure 8 – Inserting the PIX key into the legitimate banking application

The malware also attempts to locate the string associated with the transfer amount, which is typically “0,00”. This indicates that the legitimate application is waiting for the amount to be entered.

Subsequently, the malware inserts the value saved in the “money” variable into the designated field.

Figure 9 – Entering the amount to transfer into the legitimate banking application

Lastly, the malware introduces an automatic clicking mechanism for the “Confirm” and “Pay” buttons to complete the instant money transfer. Similar to the previous actions, the malware scans for the text strings “Pagar” and “CONFIRMAR” and then utilizes the performAction() function to execute the clicks automatically, as shown in the below figure.

Figure 10 – Finishing money transfer activity

Removing overlay from the targeted banking application

The malware uses the code in the below figure to remove the overlay window from the top of the target banking application once the money transfer is completed.

Figure 11 – Removing overlay window

The ATS framework mentioned earlier was specifically developed for the “Banco Inter” mobile banking application. Likewise, the malware has incorporated various functions to carry out ATS for other banking applications such as NUBank and PagBank.


There has been a recent increase in the use of Android Banking Trojans that are specifically targeting Brazilian banks that use the PIX instant payment platform. A new version of GoatRAT has been observed that only uses the ATS framework to carry out fraudulent money transactions.

Furthermore, we observed that GoatRAT lacks any other banking Trojan features like the ability to steal authentication codes or incoming SMS messages. Instead, it relies solely on the Accessibility service to execute the ATS framework, which is adequate in itself to conduct fraudulent financial transactions.

This new variant highlights that in the current technological landscape, there is an elevated risk of cyberattacks that do not require multiple permissions or many Banking Trojan functionalities to execute financial fraud.

Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:

  • Download and install software only from official app stores like Google Play Store or the iOS App Store.
  • Use a reputed antivirus and internet security software package on your connected devices, such as PCs, laptops, and mobile devices.
  • Never share your Card Details, CVV number, Card PIN, and Net Banking Credentials with an untrusted source.
  • Use strong passwords and enforce multi-factor authentication wherever possible.
  • Enable biometric security features such as fingerprint or facial recognition for unlocking the mobile device where possible.
  • Be wary of opening any links received via SMS or emails delivered to your phone.
  • Ensure that Google Play Protect is enabled on Android devices.
  • Be careful while enabling any permissions.
  • Keep your devices, operating systems, and applications updated.

MITRE ATT&CK® Techniques

TacticTechnique IDTechnique Name
Initial AccessT1476Deliver Malicious App via Other Means.
Initial AccessT1444Masquerade as a Legitimate Application
DiscoveryT1418Application discovery
ImpactT1516Input Injection

Indicators of Compromise (IOCs)

IndicatorsIndicator TypeDescription

SHA256  Hash of analyzed malicious APK
60358f26853ccba6f137901c57147442e868041bSHA1  Hash of analyzed malicious APK
9a8e85cf1bbd32c71f0efa42ffedf1a0MD5Hash of analyzed malicious APK
hxxps://bit[.]ly/nubankmoduloURLShortened malware distribution URL
hxxps://goatrat[.]com/apks/apk20.apkURLMalware distribution URL
hxxp://api.goatrat[.]com:3008URL  C&C server to receive PIX key

Comments are closed.

Scroll to Top