The latest version of the BRATA malware devices a feature to perform a factory reset after it steals data
In 2019, the security experts at Kaspersky Lab discovered the android RAT BRATA. It was detected first in January 2019 while spreading through Whatsapp and SMS messages. At the time, they used it to spy mainly on Brazillian android users and has since then broadened its reach to US and Spain bank brands.
The BRATA can unlock the victim’s device, collect device information, turn off the device screen, run tasks in the background and execute any application. Afterwards, it uninstalls itself, thereby removing any infection traces. It can take screenshots of the device screen and send the information to an attacker-controlled server.
Researchers in security Cliffy spotted a new variant in December 2021, which targets android banking users in Europe and steals data from their devices.
The latest version of the RAT targets online banking users in the UK, Spain, China, Poland, Italy, and Latin America.
The latest BRATA version has the following features:
- GPS tracking capability
- Performing device factory reset
- The ability to use multiple communication channels
- Monitoring the victim’s bank application through VNC and keylogging techniques
Most of these corrupt applications appear as an update to Whatsapp (an instant messaging application). Once downloaded, it infects the victim’s device and then starts the keylogging features. It then enhances it with real-time streaming functionality.
The malware interacts with other applications installed on the victim’s device by exploiting the Android Accessibility Service Feature.
Also, BRATA spreads through SMS messages that imitate a bank. The content of the message would contain a link to a website where the hacker tricks the victim into downloading an anti-spam app. The fraudsters then call their victim and trick them into installing the banking Trojan app. This in turn allows the fraudsters to capture second-factor authentication codes sent by the bank to conduct fraud.
The device factory reset feature enables the attackers to wipe any evidence. It also prevents the victims from discovering any unauthorized activity attempt. This blocks the victim from stopping or reporting any fraudulent transaction.
The factory reset acts as a kill switch performed after a successful illicit activity.
To avoid being infected with BRATA and other malware, experts recommend installing apps only from trusted publishers in the Google Play Store and scanning them with antivirus software before running them.
It is also important to pay attention to the permissions required during app installation and do not allow permissions that you think are not essential to the core functionality of your app.
