First discovered in 2019, BRATA malware is contained in a malicious app which victims are tricked into installing on their phones. BRATA is a banking Trojan that gains access to your bank, withdraws your funds, and then wipes your phone with a factory reset to hide the evidence of its activities.
BRATA stands for “Brazilian Remote Access Tool, Android”, and began as a banking trojan in Brazil in 2019. The original capabilities of this app included screen capture, app installation and deactivation of the screen to make the device appear as if it were switched off. Since then, BRATA has launched attacks in Europe, specifically targeting users of Spanish and British banks in 2021. These attacks included the use of anti-spam apps, tricking users into giving the malicious attackers full control over the infected device. The campaign even involved the use of fake support employees who would telephone the victim to further sell the scheme.
The attack begins with a phishing SMS sent to the user, containing a link to a malicious website. This SMS is a spoof of the target bank, and is trying to trick users into downloading an app to ‘help improve their security’ – such as an anti-spam app. The link is actually to a phishing page that mimics the bank’s login page to harvest credentials for later social engineering use. A fraud operator then telephones the victim to convince them to download the malicious app, utilising social engineering techniques. During the installation process the victims give the attackers full control over the device by granting the app access to accessibility services, SMS permissions and recording/casting modules in the malware app. The attackers are now able to access everything they need to perform fraudulent bank transactions, including bypassing 2-factor authentication (2FA) requirements.
At the start of this year, an updated version of BRATA was found to utilise GPS tracking, and acquire overlay, SMS, and device management permissions. It also involves multiple Command & Control (C2) communication channels to broaden its capabilities, such as gaining device permissions, and sideloading second-stage malware to perform event logging. This is managed by the download of a .zip file which contains a plugin called unrar.jar. After this, the .jar file monitors events, and whenever a change in text view occurs, this is stored in a local database along with the Event Text and Date of the event, thereby creating its own accessible log of tracked events.
January’s version was also the first instance of the factory-reset command, which BRATA has become known for. After all of the victim’s data had been stolen in the attack, the malware would then trigger the device to be wiped in a full factory reset. This was thought to have been implemented to prevent users from noticing or reporting any unauthorised banking activity, as it was only triggered after either a successful wire transfer, or after the malware had been detected by security software.
According to new research from security firm Cleafy Labs, the attackers behind BRATA now seem to target only one bank or financial institution at a time. The attackers then move on once too many countermeasures are in place for them to continue to operate against this target bank. This allows them to create a phishing login page that is a good copy of their target bank to more effectively trick account holders. The attackers can also access 2-factor authentication (2FA) codes such as one-time-passcodes (OTPs) that are sent via text by banks to their customers devices. This involves the use of the RECEIVE_SMS and SEND_SMS permissions inside the AndroidManifest file. With access to the victim’s texts, and the sophisticated phishing login page, the threat actors would now have everything needed for an account takeover (ATO) attack.
Recently, versions of a new trojan malware using the same C2 infrastructure as BRATA have been identified, targeting users in the UK, Italy, and Spain, with local language versions of the app for each country. This appears to be an SMS stealer app that can both send and receive messages on the affected device. Victims are asked to make this app their default messaging app after it has been installed, therefore allowing it to intercept all messages. This could be used for contact harvesting as well as for access to 2FA and OTP codes. It is thought that not only do these apps share the same methods and C2 infrastructure, but there are also sections of BRATA’s code in this new SMS stealer app. They also both utilise the endpoint “/rdc”, and the same ports for C2 access. Port 19999 is used to inform the C2 that the app has been installed, and port 18888 is used to send SMS to intercept the C2.
To protect your devices from BRATA and similar trojan apps it is not always enough to stay vigilant, as complex social engineering schemes can trick even tech-competent users. Malicious apps can sometimes appear on the Google Play store before being reported and removed, and actors are sometimes hired as fake support employees to provide a more convincing con. Ensuring you have up to date mobile antivirus running effectively and in real time can provide an extra layer of protection, as well as critical analysis of apps who ask for unexpected device permissions such as “Erase all data” or “Send and View SMS”.
Security Managers can protect their fleet of Android devices from BRATA and similar threats by:
- Blocking the ability to sideload apps from unofficial app stores
- Provide security awareness training to users to help them spot apps requested excessive privileges
- Implementing endpoint protection and mobile device management systems to limit what apps can be installed on the device and identify apps with malicious intent