A nasty Android banking trojan that is best known for wiping smartphones to cover its tracks has gained several new features to improve its ability at phishing online-banking credentials, intercepting SMS two-factor authentication codes, and more.
The BRATA or the ‘Brazilian Remote Access Tool, Android’ has been circulating since at least 2019, initially as spyware although it later became a banking trojan.
Researchers at Cleafy, an Italian cybersecurity firm, last year discovered BRATA’s makers had started abusing Android’s factory reset to prevent victims from discovering, reporting and preventing unauthorized wire transfers.
The factory reset was executed after a successful illicit wire transfer or when the malware detected analysis by installed security software.
BRATA originally targeted customers from Brazilian banks only, but Cleafy reported that it started targeting customers of UK, Spanish and British banking brands more recently.
The malware was spread through fraudulent SMS messages purporting to be from a target’s bank, but which actually contained a link that would download BRATA.
According to Cleafy researchers, a new variant spreading across Europe features new phishing pages mimicking targeted banks, new methods of acquiring permissions to access GPS location data, and new ways to send and receive SMS, and gain device management permissions. It also gained the ability to sideload a second-stage piece of malware from its command and control server to perform event logging.
The combination of the phishing pages and the ability to receive and read the victim’s SMS could be used to take over a victim’s bank account, notes Cleafy.
Cleafy discovered a related SMS-stealing app that shared some code with the BRATA malware. They believe this app is used to harvest contacts from devices in the UK, Italy and Spain.
The malicious app asks the user to change the default messaging app to the malicious one in order to intercept incoming messages, including two-factor authentication codes or one-time passcodes.
Cleafy notes the threat actors are targeting customers of specific banks for a few months before moving on to customers of another target.
“The modus operandi now fits into an Advanced Persistent Threat (APT) activity pattern. This term is used to describe an attack campaign in which criminals establish a long-term presence on a targeted network to steal sensitive information,” Cleafy said.
“Threat actors behind BRATA now target a specific financial institution at a time, and change their focus only once the targeted victim starts to implement consistent countermeasures against them. Then, they move away from the spotlight, to come out with a different target and strategies of infections,” it warned.