A cybersecurity company that specializes in online fraud, Cleary, has released new information regarding the Android banking Trojan BRATA (Brazilian Remote Access Tool), a known malware strain that initially started to spread in 2019.
At the present, victims’ computers are reset to factory settings via BRATA. What’s going on in this case when malware rarely harms or wipes victims’ computers (there is rarely anything in it for the attackers)?
Cleary claims that after the attackers drain the victim’s bank account of funds, the victim’s Android device is factory reset. This diverts attention away from the crime while also erasing any traces or imprints that forensic analysts could find useful.
Out with the old BRATA used to only target Brazilian banks, but according to Cleary, the list of current targets now also includes institutions in Italy, the United Kingdom, the United States, Poland, Spain, and Latin America. Along with the factory reset functionality, it has also disclosed a number of new capabilities:
A GPS tracking feature
a variety of ways to stay in touch with command and control (C2) servers
being able to utilize keylogging and a VNC (Virtual Network Computing) to continuously watch a victim’s bank account
However, how does such harmful spyware get onto victims’ computers?
How BRATA is disseminated
When a potential target receives an SMS purporting to be from their bank, a BRATA campaign is launched. A webpage link in the SMS directs the recipient to download the BRATA malware. Additionally, an attacker who poses as a bank employee calls them.
The software requests a number of permissions that, to the untrained eye, can raise some concerns and discourage users from installing it. The caller’s first task, according to Cleary, is to persuade victims to install it using social engineering techniques.
Once the software is loaded, fraudsters have access to the target device remotely whenever they want and can conduct financial activities without the victim’s knowledge. Additionally, the software can be used to carry out administrative tasks like locking the screen, altering the screen lock, and establishing password policies. Being an admin app also enables the most recent BRATA strain to do a factory reset on the compromised mobile device.
Accounts are not protected in this situation by a two-factor authentication (2FA) code from the bank. The 2FA codes received by banks are intercepted by BRATA and delivered to the fraudster’s command and control server.
Due to the fact that mule accounts connected to this campaign were discovered in Italy, Lithuania, and the Netherlands, Clarify thinks that the current operators of the BRATA mobile malware are based in at least one European nation.
Defend yourself against BRATA
This malware serves as a warning to all Android users to stay away from installing apps that aren’t from Google Play and to be wary of the permissions that apps request. For instance, BRATA asks for the “Erase all data” permission, which is not something most of us want operating on our mobile devices.
Although this version of BRATA was not discovered on Google Play, it has previously been discovered there, called out, and removed. Therefore, be cautious even when using Google Play, and keep your mobile antivirus operating in real time and updated.
- E00240F62EC68488EF9DFDE705258B025C613A41760138B5D9BDB2FB59DB4D5E – Malwarebytes detects it as Android/Trojan.Agent.PWSCR
- E769EF0D011CBF3322C9E85D4CDF70AF413F021D033AED884C1431F2B7861D0D – Malwarebytes detects it as Android/Trojan.Spy.Agent.GPPSSATB
- 2846C9DDA06A052049D89B1586CFF21F44D1D28F153A2FF4726051AC27CA3BA7 – Malwarebytes detects it as Android/Trojan.Spy.Brat.dsa
- F9DC40A7DD2A875344721834E7D80BF7DBFA1BF08F29B7209DEB0DECAD77E992 – Malwarebytes detects it as Android/Trojan.Spy.Brat.gvmb
- 4CDBD105AB8117620731630F8F89EB2E6110DBF6341DF43712A0EC9837C5A9BE – Malwarebytes detects it as Android/Trojan.Spy.Brat.oupa
- D9BC87AB45B0C786AA09F964A8101F6DF7EA76895E2E8438C13935A356D9116B – Malwarebytes detects it as Android/Trojan.Spy.Brat.prta
- 648A5A705BBE88E52569B3774A689A82F53962E8827B143189639D48727BD159 – Malwarebytes detects it as Android/Trojan.Spy.SpyNote.dcnp