The Brata Trojan is originally a spyware intended to infect Android operating systems. But it has turned into a banking Trojan and can now reset the device, according to new research.
Victims of Android malware are often advised to perform a factory reset after cleaning an infection. But BRATA performs the reset for another reason: to erase any evidence after making an illicit transfer from the victim’s online bank account.
BRATA or “Brazilian Android RAT” was named by Kaspersky researchers in 2019 because it exclusively targets Android users in Brazil. Since then, it has expanded its reach to US and Spanish banking brands, according to McAfee.
Security firm Cleafy has analyzed three new BRATA variants and its researchers believe that BRATA authors are using factory reset (reboot) to prevent victims from discovering an unauthorized bank transfer attempt. This prevents victims from reporting and stopping a fraudulent transaction.
Factory reset acts as a switch that is executed after a successful unauthorized transfer or when it detects a scan by security software.
“Looks like he [pirates] take advantage of this feature to erase all traces, immediately after an unauthorized transfer attempt,” notes Mr. Cleafy. “This way, the victim will lose even more time before realizing that malicious action has taken place.
Malware escaping from Brazil
The factory reset is performed by BRATA, which masquerades as a legitimate security app asking the victim to grant the Android “device administrator” permission, allowing the app to wipe all data, change the screen lock and set password rules.
Beyond the factory reset functionality, BRATA now has the ability to monitor the victim’s banking app via VNC and using mobile keyboard spying techniques.
Additionally, BRATA has expanded its targets to include banks in the UK and Poland, as well as banks in Italy and Latin America.
According to Cleafy, BRATA spreads through text messages posing as a bank and containing a link to a website where the victim is tricked into downloading an anti-spam application. The scammers then call the victim and trick them into installing the banking Trojan, which allows the attacker to capture the second factor authentication codes sent by the bank to perform the fraud.
To monitor accounts, malicious BRATA Android apps obtain permissions from Android Accessibility Services to see how victims use their banking apps. VNC modules allow them to view what is displayed on the banking app screen, such as account balance and transaction history. BRATA also takes screenshots of the victim’s screen and sends this information to a server controlled by the attacker.
Woodmart Theme Nulled, WP Reset Pro, Newspaper 11.2, Newspaper – News & WooCommerce WordPress Theme, Premium Addons for Elementor, Rank Math Seo Pro Weadown, WeaPlay, WordPress Theme, Plugins, PHP Script, Jannah Nulled, Elementor Pro Weadown, Woocommerce Custom Product Ad, Business Consulting Nulled, Jnews 8.1.0 Nulled, Avada 7.4 Nulled, Nulledfire, Dokan Pro Nulled, Yoast Nulled, Flatsome Nulled, PW WooCommerce Gift Cards Pro Nulled, Astra Pro Nulled, Woodmart Theme Nulled, Slider Revolution Nulled, Wordfence Premium Nulled, Elementor Pro Weadown, Wpml Nulled, Consulting 6.1.4 Nulled, Fs Poster Plugin Nulled