If your Android phone initiates a factory reset out of the blue, there’s a chance it has been infected with the BRATA banking malware and you’ve just been ripped off.
The unusual functionality serves as a kill switch for the trojan, Cleafy researchers have explained, while also making the victim lose time trying to find out what happened as crooks siphon money out of their account.
European users under attack
First documented by Kaspersky researchers in 2019, BRATA was a RAT targeting Android users in Brazil. It was able to capture and send user’s screen output in real-time, log keystrokes, retrieve device information, turn off the screen to give the impression that it has been turned off, and more.
Through the years, BRATA evolved primarily into banking malware and has lately been aimed against Android users in Europe and the rest of Latin America. (Cleafy researchers hypothesize that the group responsible for maintaining the BRATA codebase is probably located in the LATAM area and is reselling this malware to other local groups.)
The trojan has been spotted targeting customers of several Italian banks in H2 2021.
“The attack chain usually starts with a fake SMS containing a link to a website. The SMS seems to come from the bank (the so-called spoofing scam), and it tries to convince the victim to download an anti-spam app, with the promise to be contacted soon by a bank operator. In some cases, the link redirects the victim to a phishing page that looks like the bank’s, and it is used to steal credentials and other relevant information (e.g. fiscal code and security questions),” the researchers shared last December.
Victims are persuaded by the fraud operators to install the app, which gives the latter control of the device and access to the 2FA code sent by the bank, allowing them to perform fraudulent transactions.
Since then, several variants of the malware posing as a variety of security apps have been targeting users of banks and financial institutions in the UK, Poland, Italy, and LATAM.
BRATA’s new capabilities
These “European” variants have gained interesting capabilities such as establishing multiple communication channels (HTTP and…