In its latest version, the Android malware known as BRATA has added new and dangerous features, such as GPS tracking, the ability to use multiple communication channels, and a function that wipes all traces of malicious activity from the device.
Kaspersky discovered BRATA in 2019 as an Android RAT (remote access tool) that primarily targeted Brazilian users.
A Cleafy report from December 2021 highlighted the malware’s emergence in Europe, where it was seen targeting e-banking users and stealing their credentials with the help of fraudsters posing as bank customer service agents.
Cleafy analysts kept an eye on BRATA for new features, and in a new report released today, they show how the malware is still evolving.
Adapted versions for various audiences
BRATA malware has been updated to target e-banking users in the United Kingdom, Poland, Italy, Spain, China, and Latin America.
To target specific audiences, each variant focuses on different banks with dedicated overlay sets, languages, and even different apps.
In all versions, the authors employ similar obfuscation techniques, such as wrapping the APK file in an encrypted JAR or DEX package.
As shown in the VirusTotal scan below, this obfuscation successfully avoids antivirus detection.
On that front, BRATA is now actively looking for signs of antivirus on the device and attempting to remove any detected security tools before moving on to the data exfiltration step.
The keylogging functionality, which complements the existing screen capturing function, is one of the new features discovered by Cleafy researchers in the latest malware BRATA versions.
All new variants also have GPS tracking, though the analysts are not sure what it is for.
Factory resets are the scariest of the new malicious features, which the actors perform in the following situations:
- The compromise has been successfully completed, and the fraudulent transaction has come to an end (i.e. credentials have been exfiltrated).
- The application has detected that it is running in a virtual environment, which is most likely for testing purposes.
Factory resets are used by BRATA as a kill switch for self-protection, but because they wipe the device, they also expose the victim to the risk of a sudden and irreversible loss of data.
Finally, BRATA now supports HTTP and WebSockets as new communication channels for exchanging data with the C2 server.
WebSockets provides the actors with a direct, low-latency channel that is ideal for real-time communication and manual exploitation in real-time.
Furthermore, because WebSockets does not require sending headers with each connection, the volume of suspicious network traffic is reduced, and the chances of being detected are reduced as a result.
How to stay safe against android malware BRATA
Many Android banking trojans and stealthy RATs are circulating in the wild, attempting to steal people’s banking credentials.
Installing apps from the Google Play Store, avoiding APKs from shady websites, and scanning them with an antivirus tool before opening are the best ways to avoid being infected by Android malware.
Pay close attention to the requested permissions during installation and don’t grant any that don’t appear to be necessary for the app’s core functionality.
Finally, keep an eye on battery usage and network traffic volumes to spot any unusual spikes that could be caused by malicious processes running in the background.