McAfee warns of malicious Android apps that pose as app security scanners on the Play Store but instead of updates, they install a backdoor for harvesting sensitive information.
The now removed app DefenseScreen got 10,000 installs. Some other apps have been downloaded 1,000 to 5,000 times.
First documented by Kaspersky in August 2019, BRATA (short for “Brazilian Remote Access Tool Android”) emerged as Android malware with screen recording abilities but morphed into a banking trojan. It is designed to target users in Brazil, Spain, and the U.S.
“These malicious apps urge users to update Chrome, WhatsApp, or a PDF reader, yet instead of updating the app in question, they take full control of the device by abusing accessibility services,” McAfee said in a report on Monday.
The infection chains starts with a fake alert about a security issue on the victim’s device prompting them to install a fake update of some app – Google Chrome, WhatsApp, or a non-existent PDF reader app.
Once the app is installed, BRATA requests permissions to access the device’s accessibility service which allows attackers to perform a range of actions.
The malware can display phishing pages to steal banking credentials. It capture screen lock credentials (PIN, password, or pattern), capture keystrokes, record the screen of the infected device, and even disable the Google Play Store, according to McAfee researchers Fernando Ruiz and Carlos Castillo said.
Disabling the Play Store app turns off Play Protect, a feature that runs a safety check on apps prior to downloading them from the app store.
This allows the attackers to install the app and later to easily update it and keep exploiting the devices while staying under the radar.
“By stealing the PIN, Password or Pattern, combined with the ability to record the screen, click on any button and intercept anything that is entered in an editable field, malware authors can virtually get any data they want, including banking credentials via phishing web pages or even directly from the apps themselves, while also hiding all these actions from the user,” researchers concluded.