The new version of the BRATA Android malware supports new features, including GPS tracking and a functionality to perform a factory reset on the device.
Security experts at Kaspersky discovered the Android RAT BRATA (the name comes from ‘Brazilian RAT Android’) in 2019, when it was used to spy on Brazilian users. The BRATA RAT was first detected in January 2019 while spreading via WhatsApp and SMS messages.
The RAT was delivered through the official Google Play Store and also via unofficial Android app stores.
Most of the tainted apps pose as an update to the popular instant messaging application WhatsApp that would address the CVE-2019-3568 flaw in the instant messaging application. Once the malware has infected the victim’s device, it will start keylogging feature, enhancing it with real-time streaming functionality. The malware leverages the Android Accessibility Service feature to interact with other applications installed on the victim’s device.
BRATA supports many commands, such as unlocking the victims’ devices, collecting device information, turning off the device’s screen to surreptitiously run tasks in the background, executing any particular application and uninstall itself and removes any infection traces.
On December 2021, researchers from security firm Cleafy spotted a new variant targeting Android banking users in Europe to steal their credentials. Now the same researchers found a new variant that implements the new features described abive.
The latest version of the Android RAT is targeting e-banking users in the UK, Poland, Italy, Spain, China, and Latin America. It uses tailored overlay pages to targeted specific banking application and steal user’s PIN.
All the variants use similar obfuscation techniques that allowed the threat to avoid detection.
Below is the list of new features in the latest BRATA versions:
Experts believe that the factory reset feature allows threat actors to delete any traces when the compromise has been completed or when the application detects it is running in a virtual environment used to analyze it.
“this mechanism represents a kill switch for this malware.” states the report. “In fact, it was also observed that this function is executed in two cases:
The recent evolution of the BRATA RAT suggests that threat actors continue to improve it in the attempt to extend its audience of potential targets.
Follow me on Twitter: @securityaffairs and Facebook
[adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, BRATA RAT)
[adrotate banner=”5″]
[adrotate banner=”13″]