Latest version of Android RAT BRATA wipes devices after stealing data

A new version of the BRATA malware implements a functionality to perform a factory reset of the device to wipe all data.

The new version of the BRATA Android malware supports new features, including GPS tracking and a functionality to perform a factory reset on the device.

Security experts at Kaspersky discovered the Android RAT BRATA (the name comes from ‘Brazilian RAT Android’) in 2019, when it was used to spy on Brazilian users. The BRATA RAT was first detected in January 2019 while spreading via WhatsApp and SMS messages.

The RAT was delivered through the official Google Play Store and also via unofficial Android app stores.

Most of the tainted apps pose as an update to the popular instant messaging application WhatsApp that would address the CVE-2019-3568 flaw in the instant messaging application. Once the malware has infected the victim’s device, it will start keylogging feature, enhancing it with real-time streaming functionality. The malware leverages the Android Accessibility Service feature to interact with other applications installed on the victim’s device.

BRATA supports many commands, such as unlocking the victims’ devices, collecting device information, turning off the device’s screen to surreptitiously run tasks in the background, executing any particular application and uninstall itself and removes any infection traces.

On December 2021, researchers from security firm Cleafy spotted a new variant targeting Android banking users in Europe to steal their credentials. Now the same researchers found a new variant that implements the new features described abive.

The latest version of the Android RAT is targeting e-banking users in the UK, Poland, Italy, Spain, China, and Latin America. It uses tailored overlay pages to targeted specific banking application and steal user’s PIN.

All the variants use similar obfuscation techniques that allowed the threat to avoid detection.

Below is the list of new features in the latest BRATA versions:

• Capability to perform the device factory reset: it appears that TAs are leveraging this feature to erase any trace, right after an unauthorized wire transfer attempt.
• GPS tracking capability
• Capability to use multiple communication channels (HTTP and TCP) between the device and the C2 server to keep a persistent connection.
• Capability to continuously monitor the victim’s bank application through VNC and keylogging techniques.

Experts believe that the factory reset feature allows threat actors to delete any traces when the compromise has been completed or when the application detects it is running in a virtual environment used to analyze it.

“this mechanism represents a kill switch for this malware.” states the report. “In fact, it was also observed that this function is executed in two cases:

• A bank fraud has been completed successfully. In this way, the victim is going to lose even more time before understanding that a malicious action happened.
• The application is installed in a virtual environment. BRATA tries to prevent dynamic analysis through the execution of this feature.

The recent evolution of the BRATA RAT suggests that threat actors continue to improve it in the attempt to extend its audience of potential targets.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, BRATA RAT)

[adrotate banner=”5″]

[adrotate banner=”13″]