Banking trojans have gained immense popularity among cybercriminals lately. This article talks about new variants of an Android malware that evolved and has gotten worse than ever. Named BRATA, short for Brazilian RAT Android, the malware began its life as a spyware but soon was upgraded to a banking trojan.

Diving into details

Security firm Cleafy analyzed three new variants of BRATA, finding that the trojan is now capable of performing a factory reset to restrict victims from detecting unauthorized wire transfers from their devices. In addition to this, the variants are capable of GPS tracking, using several communication channels between the C2 and device, and continuously monitoring the victim’s banking app via keylogging and VNC techniques. The researchers discovered that the Android malware is being propagated by a downloader to evade detection by antivirus solutions. 

Why factory reset?

The capability to factory reset the device is the most malicious feature of all as it indicates either of the following:
  • The compromise is successful and the transaction has been made.
  • The app detects that it is running in a virtual environment and tries to avoid dynamic analysis. 

While BRATA uses this function as a kill switch, it is a threat for victims as the wiping of the device may result in an irreversible loss of data. 

About the variants

  • The new variants have already attacked banks and financial institutions in Poland, the U.K, Italy, Latin America, China, and Spain. 
  • Each variant is carefully crafted to focus on different banks. They have dedicated overlays, different apps, and languages to target different sets of victims. 
  • However, all the versions use the same obfuscation techniques, including enclosing the APK file into an encrypted DEX or JAR package. This technique evades detection by antivirus software.
  • Furthermore, BRATA scans for antivirus on the device and tries to delete the security tools before moving on to data exfiltration.

The bottom line

BRATA is one of the many banking trojans active in the wild, which poses a severe financial threat to victims. This latest research demonstrates that the Android malware is attempting to spread its wings to hit new targets and develop new features. The best way to stay safe is to install apps from Google Play Store and scan them with antivirus software. Moreover, avoid granting permissions that are not related to the app’s core functionality. 

Cyware Publisher