BRATA Android Malware evolves and targets the UK, Spain, and Italy

The developers behind the BRATA Android malware have implemented additional features to avoid detection.

The operators behind the BRATA Android malware have implemented more features to make their attacks stealthy. The malware was first spotted in 2019 by security experts at Kaspersky, the name BRAT comes from ‘Brazilian RAT Android,’ because at the time it was used to spy on Brazilian users.

Now researchers from Cleafy have spotted the BRATA malware targeting a specific financial institution, its operators modified the attack chain customizing the malware to hit a specific target at a time, moving to a different bank after the victim begins implementing countermeasures.

“TAs are modifying their code in order to tailor their malware on specific banking institutions. This code refractory is actually doing small changes compared to old versions of BRATA, as there are a bunch of classes that have been added for very specific purposes.” reads the report published by the researchers.

During the last months, a new variant has been observed targeting entities in EU territory posing as specific bank applications. The new variants include new features that are used to impersonate the login page of the target financial institution to harvest credentials, access SMS messages, acquire GPS, and sideload a second-stage payload from a C2 server to log events.

The current version of the BRATA Android malware has introduced two new permissions inside the AndroidManifest file, the RECEIVE_SMS and SEND_SMS. These two permissions allows the operators to receive and read the victim’s sms while performing a phishing attack and takeover the victims’ account.

Cleafy researchers noticed the use of a specific package to siphon SMS messages, a circumstance that suggests that the BRATA operators are performing some test to improve their stealing capabilities.

This malicious app was developed to target users from Italy, Spain, and the UK.

“Starting from June 2021, when we first intercepted the BRATA campaigns in Italy, we observed an uninterrupted evolution of both the malware and the attack methodologies used by the TAs. The first campaigns of malware were distributed through fake antivirus or other common apps, while during the campaigns the malware is taking the turn of an APT attack against the customer of a specific Italian bank.” concludes the report. “They usually focus on delivering malicious applications targeted to a specific bank for a couple of months, and  then moving to another target.”

“They usually focus on delivering malicious applications targeted to a specific bank for a couple of months, and then moving to another target.”

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.

Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)

To nominate, please visit: 

https://docs.google.com/forms/d/e/1FAIpQLSdNDzjvToMSq36YkIHQWwhma90SR0E9rLndflZ3Cu_gVI2Axw/viewform

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, BRATA Android malware)

[adrotate banner=”5″]

[adrotate banner=”13″]