The BRATA Android malware has been updated to include additional functions such as GPS tracking and the ability to execute a factory reset on the device.
The Android RAT BRATA (the term originates from 'Brazilian RAT Android') was founded in 2019 by Kaspersky security professionals and was used to eavesdrop on Brazilian users. In January 2019, the BRATA RAT was discovered circulating over WhatsApp and SMS communications.
The RAT was distributed both through Google's official Play Store and through alternative Android app marketplaces.
The majority of the infected apps masquerade as an update to the popular instant messaging service WhatsApp, claiming to fix the CVE-2019-3568 vulnerability in the app. The malware will begin keylogging after it has infected the victim's device, adding real-time streaming features to it.
To connect with other apps on the victim's device, the malware makes use of the Android Accessibility Service function.
Many instructions are supported by BRATA, including unlocking the victims' devices, gathering device information, shutting off the device's screen to run tasks in the background, executing any specific application, uninstalling itself, and removing any infection traces.
Researchers from security firm Cleafy discovered a new variation affecting Android banking users in Europe in December 2021, with the goal of stealing their passwords. The same researchers have now discovered a new version that has the new features mentioned above.
The Android RAT's current version is aimed at e-banking users in the United Kingdom, Poland, Italy, Spain, China, and Latin America. It uses custom overlay pages to target specific banking applications and steal users’ PINs.
All the versions employ the same obfuscation strategies, allowing the danger to remain undetected.
The following is a list of new features in the most recent BRATA releases:
• Capability to perform the device factory reset: it appears that TAs are leveraging this feature to erase any trace, right after an unauthorized wire transfer attempt.
• GPS tracking capability
• Capability to use multiple communication channels (HTTP and TCP) between the device and the C2 server to keep a persistent connection.
• Capability to continuously monitor the victim’s bank application through VNC and keylogging techniques.
Researchers believe that the factory reset option enables threat actors to erase all signs of a hack once it has been completed or when the application detects that it is running in a virtual environment for analysis.
The report stated, “this mechanism represents a kill switch for this malware. In fact, it was also observed that this function is executed in two cases:
• A bank fraud has been completed successfully. In this way, the victim is going to lose even more time before understanding that a malicious action happened.
• The application is installed in a virtual environment. BRATA tries to prevent dynamic analysis through the execution of this feature.”
The BRATA RAT's recent evolution implies that threat actors are working to improve it in order to broaden its target demographic.
