• Wed. Aug 3rd, 2022

BRATA Mobile Banking Trojan Gains Dangerous New Capabilities

ByCindy J. Daddario

Jan 24, 2022

The Android malware tracked as BRATA has been updated with new features that allow it to log keystrokes, track device locations, and even perform a factory reset for the purpose. apparent to conceal fraudulent wire transfers.

The latest variants, detected late last year, would be distributed via a downloader to avoid detection by security software, Italian cybersecurity firm Cleafy said in a technical article. Targets include banks and financial institutions in the UK, Poland, Italy and Latin America.

Automatic GitHub backups

“What makes Android RAT so attractive to attackers is its ability to operate directly on victim devices instead of using a new device,” Cleafy researchers noted in December 2021. (TA) can significantly reduce the possibility of being flagged as “suspicious” because the fingerprints of the device are already known to the bank.”

First seen in the wild in late 2018 and short for “Brazilian Remote Access Tool Android”, BRATA initially targeted users in Brazil, then quickly evolved into a feature-rich banking trojan. Over the years, the malware has received lots of updates and modifications, while masquerading as security scanner apps to evade detection.

BRATA spreads via smishing messages that impersonate a bank and contain a link to a malicious website, where the victim is tricked into downloading an anti-spam application. Crooks then call the target and use social engineering schemes to persuade the user to install the Trojan app and grant them overly intrusive permissions.


BRATA’s latest “tailor-made” samples are aimed at different countries and are an initial dropper – a security application dubbed “iSecurity” – which remains undetected by virtually all malware scanning engines and is used to download and run the real malware.

“Once the victim installs the downloader app, they only need to accept a single permission to download and install the malicious app from an untrusted source,” the researchers said. “When the victim clicks the install button, the downloader application sends a GET request to the C2 server to download the malicious .APK.”

Prevent Data Breaches

BRATA, like other banking Trojans seen in the wild, is known to misuse its accessibility service permissions obtained during the installation phase to stealthily monitor user activity on the compromised device .

Also, the newer versions have incorporated a kill switch mechanism that allows carriers to restore the Android phone to its factory settings after successful illicit wire transfer or in scenarios where the app is installed in a virtual environment. , effectively erasing forensic evidence of the origin of the attack and avoiding attempts to reverse engineer its code.

“BRATA is trying to reach new targets and develop new features,” the researchers said, adding that threat actors “leverage this banking Trojan to perform fraud, typically through unauthorized wire transfers (e.g. , SEPA) or via instant payments, using an extensive network of money mule accounts in several European countries.