The malicious attacker driving the BRATA banking trojan has upgraded its techniques and added information-stealing features to the malware. Cleafy, an Italian mobile security firm, has followed BRATA activity and identified alterations in subsequent campaigns that lead to extended device persistence.
The new variant of BRATA appeared in 2021. It directed victims to download malware onto their devices and gained “super admin” privileges during installation. A factory reset command was also included in that version, which wiped devices clean once all data had been taken.
BRATA was known to exploit CVE-2019-3568, a buffer overflow vulnerability that allows RCE on WhatsApp. Threat actors could also gain access to other apps on the device when they successfully exploited the vulnerability.
According to the researchers, BRATA malware is also more focused as it concentrates on one financial institution at a time and only switches to another when defenses render attacks ineffective.
BRATA has been updated to allow it to transmit and receive SMS, aiding attackers in stealing temporary codes such as one-time passwords (OTPs) and two-factor authentication (2FA) that banks provide to their clients.
After embedding into a unit, it downloads a ZIP archive containing a JAR (“unrar.jar”) package from the C2 server. This keylogger keeps track of app-generated events and saves them locally along with text data and a timestamp.
Cleafy’s analysts observed that this tool is still in early development.
How Does BRATA works :
- Credential harvesting
- Event logging
- SMS stealer
Protect yourself from BRATA
The existence of this malware is a reminder to all Android users to avoid installing apps that don’t come from Google Play. Its better to pay attention to the permissions that apps ask for.