In its current version, the Android malware known as BRATA has introduced new and dangerous functions, such as GPS tracking, the ability to use numerous communication channels, and a feature that wipes all traces of harmful activity from the device. Kaspersky discovered BRATA in 2019 as an Android RAT (Remote Access Tool) that primarily targeted Brazilian users.
A Cleafy report from December 2021 highlighted the malware’s debut in Europe, where it was found targeting e-banking users and obtaining their credentials with the help of cybercriminals acting as bank customer service employees. Cleafy analysts kept an eye on BRATA for new features, and in the latest research, they show how the malware is still evolving.
BRATA malware has been updated to target e-banking customers in the United Kingdom, Latin America, Poland, China, Italy, and Spain. To target particular demographics, each version focuses on different banks with unique overlay sets, languages, and even different applications.
In all versions, the writers employ similar obfuscation tactics, such as putting the APK file in an encrypted JAR or DEX package. This obfuscation effectively avoids antivirus detections. On that front, BRATA is now actively looking for evidence of antivirus on the device and attempting to remove any identified security programs before moving on to the data exfiltration process.
Keylogging capabilities, which complement the current screen capturing capability, are one of the new features discovered by Cleafy researchers in the newest BRATA versions. All new variations also contain GPS monitoring, though the experts aren’t sure what it’s for. Factory resets are the scariest of the new harmful features, which the actors conduct under the following situations:
- The compromise has been effectively performed, and the fraudulent transaction has come to an end (i.e., credentials have been exfiltrated).
- The application has discovered that it is running in a virtual environment, which is most likely for analysis.
Factory resets are used by BRATA as a kill switch for self-protection, but because they erase the device, they also expose the victim to the risk of a sudden and permanent loss of data. Finally, BRATA now supports HTTP and WebSockets as new communication routes for sharing data with the C2 server.
WebSockets provides the actors with a direct, low-latency connection that is perfect for real-time communication and manual exploitation in real-time. Furthermore, because WebSockets does not need sending headers with each connection, the volume of suspicious network traffic is decreased, and the chances of being identified are lowered as a result.
