+44 (0)203 88 020 88

Menu

Search

Cyber Security News & Articles

 

Cyber Security
News & Articles

Trusted Cyber Security Experts
25+ Years Industry Experience
Ethical, Professional & Pragmatic

How the Phone-Wiping Banking Trojan BRATA is Becoming a More Advanced Threat

First discovered in 2019, BRATA malware is contained in a malicious app which victims are tricked into installing on their phones. BRATA is a banking Trojan that gains access to your bank, withdraws your funds, and then wipes your phone with a factory reset to hide the evidence of its activities. 

BRATA stands for “Brazilian Remote Access Tool, Android”, and began as a banking trojan in Brazil in 2019. The original capabilities of this app included screen capture, app installation and deactivation of the screen to make the device appear as if it were switched off. Since then, BRATA has launched attacks in Europe, specifically targeting users of Spanish and British banks in 2021. These attacks included the use of anti-spam apps, tricking users into giving the malicious attackers full control over the infected device. The campaign even involved the use of fake support employees who would telephone the victim to further sell the scheme. 

The attack begins with a phishing SMS sent to the user, containing a link to a malicious website. This SMS is a spoof of the target bank, and is trying to trick users into downloading an app to ‘help improve their security’ – such as an anti-spam app. The link is actually to a phishing page that mimics the bank’s login page to harvest credentials for later social engineering use. A fraud operator then telephones the victim to convince them to download the malicious app, utilising social engineering techniques. During the installation process the victims give the attackers full control over the device by granting the app access to accessibility services, SMS permissions and recording/casting modules in the malware app. The attackers are now able to access everything they need to perform fraudulent bank transactions, including bypassing 2-factor authentication (2FA) requirements. 

At the start of this year, an updated version of BRATA was found to utilise GPS tracking, and acquire overlay, SMS, and device management permissions. It also involves multiple Command & Control (C2) communication channels to broaden its capabilities, such as gaining device permissions, and sideloading second-stage malware to perform event logging. This is managed by the download of a .zip file which contains a plugin called unrar.jar. After this, the .jar file monitors events, and whenever a change in text view occurs, this is stored in a local database along with the Event Text and Date of the event, thereby creating its own accessible log of tracked events.  

January’s version was also the first instance of the factory-reset command, which BRATA has become known for. After all of the victim’s data had been stolen in the attack, the malware would then trigger the device to be wiped in a full factory reset. This was thought to have been implemented to prevent users from noticing or reporting any unauthorised banking activity, as it was only triggered after either a successful wire transfer, or after the malware had been detected by security software. 

According to new research from security firm Cleafy Labs, the attackers behind BRATA now seem to target only one bank or financial institution at a time. The attackers then move on once too many countermeasures are in place for them to continue to operate against this target bank. This allows them to create a phishing login page that is a good copy of their target bank to more effectively trick account holders. The attackers can also access 2-factor authentication (2FA) codes such as one-time-passcodes (OTPs) that are sent via text by banks to their customers devices. This involves the use of the RECEIVE_SMS and SEND_SMS permissions inside the AndroidManifest file. With access to the victim’s texts, and the sophisticated phishing login page, the threat actors would now have everything needed for an account takeover (ATO) attack. 

 Recently, versions of a new trojan malware using the same C2 infrastructure as BRATA have been identified, targeting users in the UK, Italy, and Spain, with local language versions of the app for each country. This appears to be an SMS stealer app that can both send and receive messages on the affected device. Victims are asked to make this app their default messaging app after it has been installed, therefore allowing it to intercept all messages. This could be used for contact harvesting as well as for access to 2FA and OTP codes. It is thought that not only do these apps share the same methods and C2 infrastructure, but there are also sections of BRATA’s code in this new SMS stealer app. They also both utilise the endpoint “/rdc”, and the same ports for C2 access. Port 19999 is used to inform the C2 that the app has been installed, and port 18888 is used to send SMS to intercept the C2. 

To protect your devices from BRATA and similar trojan apps it is not always enough to stay vigilant, as complex social engineering schemes can trick even tech-competent users. Malicious apps can sometimes appear on the Google Play store before being reported and removed, and actors are sometimes hired as fake support employees to provide a more convincing con. Ensuring you have up to date mobile antivirus running effectively and in real time can provide an extra layer of protection, as well as critical analysis of apps who ask for unexpected device permissions such as “Erase all data” or “Send and View SMS”.  

Security Managers can protect their fleet of Android devices from BRATA and similar threats by: 

  • Blocking the ability to sideload apps from unofficial app stores 
  • Provide security awareness training to users to help them spot apps requested excessive privileges 
  • Implementing endpoint protection and mobile device management systems to limit what apps can be installed on the device and identify apps with malicious intent 

 

 

Subscribe to our monthly newsletter today

If you’d like to stay up-to-date with the latest cyber security news and articles from our technical team, you can sign up to our monthly newsletter. 

We hate spam as much as you do, so we promise not to bombard you with emails. We’ll send you a single, curated email each month that contains all of our cyber security news and articles for that month.

Why Choose SecureTeam?

CREST
CCS
ISO9001
ISO27001
CE-PLUS

Customer Testimonials

“We were very impressed with the service, I will say, the vulnerability found was one our previous organisation had not picked up, which does make you wonder if anything else was missed.”

Aim Ltd Chief Technology Officer (CTO)

"Within a very tight timescale, SecureTeam managed to deliver a highly professional service efficiently. The team helped the process with regular updates and escalation where necessary. Would highly recommend"

IoT Solutions Group Limited Chief Technology Officer (CTO) & Founder

“First class service as ever. We learn something new each year! Thank you to all your team.”

Royal Haskoning DHV Service Delivery Manager

“We’ve worked with SecureTeam for a few years to conduct our testing. The team make it easy to deal with them; they are attentive and explain detailed reports in a jargon-free way that allows the less technical people to understand. I wouldn’t work with anyone else for our cyber security.”

Capital Asset Management Head of Operations

“SecureTeam provided Derbyshire's Education Data Hub with an approachable and professional service to ensure our schools were able to successfully certify for Cyber Essentials. The team provided a smooth end-to-end service and were always on hand to offer advice when necessary.”

Derbyshire County Council Team Manager Education Data Hub

“A very efficient, professional, and friendly delivery of our testing and the results. You delivered exactly what we asked for in the timeframe we needed it, while maintaining quality and integrity. A great job, done well.”

AMX Solutions IT Project Officer

“We were very pleased with the work and report provided. It was easy to translate the provided details into some actionable tasks on our end so that was great. We always appreciate the ongoing support.”

Innovez Ltd Support Officer

Get in touch today

If you’d like to see how SecureTeam can take your cybersecurity posture to the next level, we’d love to hear from you, learn about your requirements and then send you a free quotation for our services.

Our customers love our fast-turnaround, “no-nonsense” quotations – not to mention that we hate high-pressure sales tactics as much as you do.

We know that every organisation is unique, so our detailed scoping process ensures that we provide you with an accurate quotation for our services, which we trust you’ll find highly competitive.

Get in touch with us today and a member of our team will be in touch to provide you with a quotation. 

0

No products in the basket.

No products in the basket.