A new malicious Android remote access tool (RAT) dubbed BRATA has been found targeting Brazilian users. The malware gets its name from a Brazilian Android RAT called GReAT which was spotted in the wild in January.
How does it propagate?
Discovered by researchers at Kaspersky Lab, the BRATA malware has been widespread since January 2019. It is primarily hosted in the form of apps on the Google Play Store, though it is also found on unofficial Android app stores.
Researchers note that the malware can function properly on phones using Android Lollipop 5.0 version.
Lately, the operators of the BRATA are using many other infection vectors like push notification on compromised websites, messages delivered via WhatsApp or SMS and sponsored links in Google searches.
What are the malware variants?
The first sample was found in the wild between January and February 2019. Since then, there have been over 20 different variants that have appeared in the Google Play Store. The majority of these variants pose as an update to the popular instant messaging application WhatsApp.
How does it operate?
The variants that camouflage as updates for the highly popular WhatsApp app, exploit the WhatsApp CVE-2019-3568 vulnerability to infect the Android devices.
Once the victim’s device is infected, BRATA enables its keylogging feature. It also uses Android’s Accessibility Service feature to interact with other applications installed on the user’s device.
Among the other capabilities, BRATA allows its operators to unlock their victims’ devices, collect device information, turn off the device’s screen to surreptitiously run tasks in the background and uninstall itself. Once the malware uninstalls itself from the device, it ensures to leave no infection traces behind.