The malicious attacker driving the BRATA banking trojan has upgraded its techniques and added information-stealing features to the malware. Cleafy, an Italian mobile security firm, has followed BRATA activity and identified alterations in subsequent campaigns that lead to extended device persistence.
“The modus operandi now fits into an Advanced Persistent Threat (APT) activity pattern,” explains Cleafy in a report. “This term is used to describe an attack campaign in which criminals establish a long-term presence on a targeted network to steal sensitive information.”
The malware has also been upgraded to include new phishing tactics, new classes for requesting further device permissions, and a second-stage payload from the command and control (C2) server. According to the researchers, BRATA malware is also more focused as it concentrates on one financial institution at a time and only switches to another when defenses render attacks ineffective.
Instead of obtaining a list of installed applications and collecting the appropriate injections from the C2, BRATA now comes pre-loaded with a single phishing overlay. The level of malicious network traffic and interactions with the host device reduces as a result. BRATA has been updated to allow it to transmit and receive SMS, aiding attackers in stealing temporary codes such as one-time passwords (OTPs) and two-factor authentication (2FA) that banks provide to their clients.
After embedding into a unit, BRATA downloads a ZIP archive containing a JAR (“unrar.jar”) package from the C2 server. This keylogger keeps track of app-generated events and saves them locally on the device, along with text data and a timestamp. Cleafy’s analysts observed that this tool is still in early development, and the researchers believe the author’s ultimate purpose is to misuse the Accessibility Service to access data from other apps.
In Brazil, BRATA began as a banking trojan in 2019, capable of collecting screens, installing new applications, and turning off the screen to make the device look powered off. BRATA initially appeared in Europe in June 2021, luring victims with bogus anti-spam programs and hiring fake help agents who scammed victims and fooled them into giving them complete control of their devices.
A new version of BRATA appeared in the wild in January 2022, with GPS tracking, several C2 communication channels, and customized versions for banking clients in different nations. A factory reset command was also included in that version, which wiped devices clean once all data had been taken. Cleafy has also discovered a new project: an SMS stealer app that interfaces with the same C2 infrastructure as the latest BRATA version and the shift in tactics.
It employs the same structure and class names as BRATA but appears to focus only on siphoning brief text messages. It is now aimed at the United Kingdom, Italy, and Spain. The software requests the user to make it the default messaging app, as well as authorization to access the device’s contacts to capture incoming SMS.
For the time being, it’s unclear whether this is only an experiment in the BRATA team’s aim to produce simpler apps dedicated to certain functions. What is obvious is that BRATA continues to evolve at a two-month interval. Stay careful, maintain your smartphone up to date, and avoid downloading apps from unapproved or dubious sources.