Advisory ID: ngCERT-2022-0066
Summary: New variants of the BRATA banking trojan have been discovered to be targeting global Android devices since November 2021 with advanced features, including the ability to wipe devices after stealing user data, tracking devices via GPS, and novel obfuscation techniques. The remote access trojan (RAT), which targets banks and financial institutions, is now being distributed through a downloader to avoid being detected by antivirus (AV) solutions.
Vulnerable Platform(s): Android Devices
Threat Type: Bypass authentication, Data Theft, Denial of Service, Remote Code Execution, Unauthorized access.
Description: This malware initially targeted Brazilian users and therefore called Brazilian Remote Access Tool Android (BRATA). Recently, the malware has been reported to be currently targeting banks and financial institutions in Italy, Latin America, Poland and the United Kingdom with the potential of spreading to more countries across the globe. The malware has received many upgrades and changes with capability of remaining undetected by virtually all malware scanning engines and is used to download and run real malicious software. After a victim unknowingly installs the downloader app, they only need to accept one permission to download and install a malicious application from an untrusted source. When the victim clicks the install button, the downloader app sends a GET request to the C2 server to download the malicious .APK. In some cases, the link redirects the victim to a phishing page that looks like the bank’s, and it is used to steal credentials and other relevant information (e.g. pin code, password and security questions).Once the malicious app is installed, the fraud operators can take control of the victim infected devices to perform the following:
- The best way to avoid becoming a victim is to ensure vigilance in what apps you install on your device.
- Avoid granting unnecessary accessibility permissions or administrator permissions to any app and only install apps from recognized distribution platforms.
- When opening an email from an untrusted source, or emails from a trusted source that contain unusual content or requests, users should not click links, execute files, or open Microsoft Office documents.
- Users should be on the lookout for unusual activity on banking and financial services websites. They should pay close attention to new login fields that they haven't seen before, especially when they request personal information.
Consquences: The screen recording and casting capabilities allows the malware to capture any sensitive information displayed on the screen. This includes audio, passwords, payment information, photo, and messages. The malware also intercept SMS messages and forward them to a Command & Control (C2) server which is then used to get Two-Factor Authentication (2FA) sent by the bank via SMS during the login phase or to confirm money transactions.
Impact/Probability: CRITICAL/HIGH
Solution
- The best way to avoid becoming a victim is to ensure vigilance in what apps you install on your device.
- Avoid granting unnecessary accessibility permissions or administrator permissions to any app and only install apps from recognized distribution platforms.
- When opening an email from an untrusted source, or emails from a trusted source that contain unusual content or requests, users should not click links, execute files, or open Microsoft Office documents.
- Users should be on the lookout for unusual activity on banking and financial services websites. They should pay close attention to new login fields that they haven't seen before, especially when they request personal information.
References
- https://www.cleafy.com/cleafy-labs/mobile-banking-fraud-brata-strikes-again
- https://www.zdnet.com/article/this-cruel-android-malware-wipes-phones-after-stealing-money/
- https://daystech.org/mobile-banking-trojan-brata-gains-new-dangerous-capabilities/
- https://thehackernews.com/2022/01/mobile-banking-trojan-brata-gains-new.html
"