The Eye of the big BRATA: improved malware has joined the ranks of APT threats


BRATA malware operators have improved the capabilities of the software for Android devices to make their attacks on banking applications more invisible.

“Actually, BRATA now works according to the scheme APT attacks. During APT attacks A cybercriminal establishes a long-term presence on the target network to steal confidential information”
— the report says
Information security companies Cleafy.

BRATA (Brazilian Remote Access Tool Android) was first discovered in Brazil at the end of 2018, and then appeared in Europe in April 2021, masquerading as antivirus software and common productivity programs.

In the new attack model, BRATA simultaneously hits a financial institution and switches to another bank only after the victim begins to apply measures to counter the threat.

New features are also included in the fraudulent BRATA apps. Operators have added phishing pages to log in to a financial institution to be able to:

  • collect credentials;
  • get access to SMS;
  • load payload «unrar.jar» from a remote server to register events on a hacked device.

“A combination of a phishing page with the ability to access the victim’s SMS messages can be used to hijack an account (Account Takeover, ATO)”, — the researchers said.

According to experts, the SMS theft app is aimed at users in the UK, Italy and Spain. During the attack, a cybercriminal can intercept and delete incoming messages from a bank with one-time passwords.

“At first, malware was disguised as antiviruses and common applications, and during recent campaigns ON BRATA used an APT attack on an Italian bank client. Usually, attackers distribute malware in a particular bank for several months, and then switch to another target”,
the researchers said.