GoPix Trojan Evolves: Now Targets Pix, Boletos, and Cryptocurrency Wallets

The Brazilian financial cyber threat landscape is witnessing a dangerous evolution with the GoPix banking Trojan expanding its operational scope. Initially designed to target the ubiquitous Pix instant payment system, the malware has now integrated sophisticated modules to attack two other critical financial pillars: the traditional boleto bancário (bank slip) and cryptocurrency transactions. This triple-threat capability signifies a strategic shift by threat actors to maximize illicit gains by covering the entire spectrum of digital payments used by Brazilian consumers and businesses.

Technical analysis reveals that the Trojan's core functionality remains social engineering and overlay attacks. It typically infiltrates devices through fake applications—often disguised as utility tools, package trackers, or even legitimate-looking financial apps—distributed via phishing campaigns, malicious ads, or third-party app stores. Once installed, the malware requests extensive accessibility permissions, effectively granting it the ability to monitor and interact with other applications on the device.

For Pix transactions, GoPix employs a classic overlay technique. When a user opens their legitimate banking app to make a Pix payment, the Trojan detects this activity and superimposes a fake, identical interface on top of the real app. This counterfeit screen captures the victim's credentials or, more critically, alters the destination payment details in real-time, diverting funds to accounts controlled by the attackers.

The new boleto manipulation feature represents a significant escalation. Boletos are deeply ingrained in Brazilian commerce for bill payments and purchases. The malware now scans the device's screen for boleto barcodes and numbers. When a user intends to pay a boleto, the Trojan can replace the legitimate barcode data with a fraudulent one, tricking the victim into sending payment to the attacker's account. This attack is particularly insidious as it exploits a trusted, long-standing payment method often perceived as more secure by some users.

Perhaps the most concerning addition is the cryptocurrency wallet hijacking module. This functionality operates by monitoring the device's clipboard. When a user copies a cryptocurrency wallet address to paste into an exchange or payment app, GoPix silently replaces the copied address with one belonging to the threat actor. The user, unaware of the swap, pastes and sends funds directly to the criminal's wallet. Given the irreversible nature of most cryptocurrency transactions, this technique can lead to immediate and total loss of funds.

This evolution from a single-payment vector to a multi-pronged financial threat underscores the adaptability and resourcefulness of cybercriminal groups targeting Latin America. The attackers are clearly conducting detailed market analysis, identifying which financial instruments are most used and trusted, and then tailoring their malware to exploit them.

For the cybersecurity community, the expanded GoPix Trojan highlights several critical defensive priorities. First, application vetting is paramount. Users must be educated to download apps exclusively from official stores (Google Play, Apple App Store) and to scrutinize developer names, reviews, and requested permissions. An app requesting accessibility services without a clear, legitimate need is a major red flag.

Second, behavioral detection becomes more important than ever. Security solutions need to monitor for suspicious activity such as the drawing of overlays on top of banking apps, unexpected clipboard modifications when financial apps are in use, or attempts to read and modify on-screen barcode data.

Finally, user awareness campaigns need to adapt. The message must move beyond "don't click suspicious links" to include specific guidance on verifying transaction details at multiple steps—double-checking Pix keys and recipient names, confirming boleto beneficiary information directly with the issuing company, and always verifying the first and last few characters of a pasted cryptocurrency wallet address.

The proliferation of GoPix and its ilk represents a direct attack on financial inclusion and digital trust in one of the world's most dynamic digital economies. Combating it requires a coordinated effort from financial institutions, cybersecurity firms, app store operators, and end-users to raise barriers, detect malicious activity early, and limit the profitability of these fraudulent schemes.