BRATA is the name of an Android banking trojan that security researchers have been observing for a while. In a new report compiled by cybersecurity firm Cleafy, new information about the banker has been revealed.
Threat actors have been using the trojan to “perpetrate fraud via unauthorized wire transfers.” Some of the new capabilities added to the malware include performing factory reset of the device, GPS tracking, using multiple communication channels (such as HTTP and TCP), and being able to continuously monitor the victim’s bank app via VNC (Virtual Network Computing) and keylogging.
Who’s Been Targeted with the Latest BRATA Variant?
The target list now contains further banks and financial institutions in the UK, Poland, Italy, and Latin America, the report noted. It should be mentioned that the first attack wave was initiated in November 2021, and the second one around mid-December the same year. During the second wave, hackers started delivering several new variants in various countries. The researchers also spotted some samples containing Spanish and Chinese strings.
As of now, three variants of the BRATA trojan have been identified:
BRATA.A: This variant has been used the most during the past several months. In December, hackers added two new features to its set of capabilities. The first feature is still under development, and is related to GPS tracking of the victim device. The second feature is executing a factory reset of the infected device.
BRATA.B is very similar to the first sample. What’s different here is the partial obfuscation of the code and the use of tailored overlay pages used to steal the security number (or PIN) of the targeted banking application, the report noted.
BRATA.C consists of an initial dropper that downloads and executes the real malicious app later in the attack.
Researchers have been observing the malware for some time now, and it seems that its authors are continually modifying its malicious code. This is done to avoid detection by antivirus vendors.
“Although the majority of Android banking trojans try to obfuscate/encrypt the malware core in an external file (eg. .dex or .jar), BRATA uses a minimal app to download in a second step the core BRATA app (.apk),” the Cleafy team added.
BRATA Also Capable of Bank Account Monitoring
It seems that the banker has its own customer methods in terms of monitoring bank accounts. However, it can also monitor other actions performed on the infected device. The malware helps threat actors to obtain Accessibility Service permissions which happens during the installation phases. This is done to observe the activity performed by the victim and/or use the VNC module to obtain private data shown in the device’s screen, such as bank account balance, transaction history, etc.
Once hackers send a specific command (“get_screen”) from the command-and-control server, the malware starts taking screenshots of the device and sending them back to the command server via the HTTP channel.