Tag Archive for: BRATA

Android malware BRATA wipes your device after stealing data


android

The Android malware known as BRATA has added new and dangerous features to its latest version, including GPS tracking, the capacity to use multiple communication channels, and a function that performs a factory reset on the device to wipe all traces of malicious activity.

BRATA was first spotted by Kaspersky back in 2019 as an Android RAT (remote access tool) that mainly targeted Brazilian users.

In December 2021, a report by Cleafy underscored the emergence of the malware in Europe, where it was seen targeting e-banking users and stealing their credentials with the involvement of fraudsters posing as bank customer support agents.

Analysts at Cleafy continued to monitor BRATA for new features, and in a new report published today, illustrate how the malware continues to evolve.

Tailored versions for different audiences

The latest versions of the BRATA malware now target e-banking users in the UK, Poland, Italy, Spain, China, and Latin America.

Each variant focuses on different banks with dedicated overlay sets, languages, and even different apps to target specific audiences.

BRATA variants circulating different countries
BRATA variants circulating different countries
Source: Cleafy

The authors use similar obfuscation techniques in all versions, such as wrapping the APK file into an encrypted JAR or DEX package.

This obfuscation successfully bypasses antivirus detections, as illustrated by the VirusTotal scan below.

Detection rate of newest samples
Detection rate of newest samples
Source: Cleafy

On that front, BRATA now actively seeks signs of AV presence on the device and attempts to delete the detected security tools before proceeding to the data exfiltration step.

AV tools removed by BRATA
AV tools removed by BRATA
Source: Cleafy

New features

The new features spotted by Cleafy researchers in the latest BRATA versions include keylogging functionality, which complements the existing screen capturing function.

Although its exact purpose remains a mystery to the analysts, all new variants also have GPS tracking.

The scariest of the new malicious features is the performing of factory resets, which the actors perform in the following situations:

  1. The compromise has been completed successfully, and the fraudulent transaction is over (i.e. credentials have been exfiltrated).
  2. The…

Source…