Fake Customer Service Representatives Phone Customers to Install Android Banking Malware

Fake Customer Service Representatives Phone Customers to Install Android Banking Malware

The BRATA Android remote access trojan (RAT) has been discovered in Italy, with threat actors contacting SMS victims to steal their online banking information. According to a report by Cleafy experts, the version now circulating can pass unnoticed by the great majority of AV scanners. BRATA was previously only visible in Brazil, distributed via Google Play Store applications. Still, it appears that its creators are now selling it to international operators, which is not uncommon in this industry.

The Italian operation began in June 2021, with various Android applications sent by SMS phishing, often known as smishing. The majority of the malicious programs were marketed as anti-spam solutions and were dubbed “Sicurezza Dispositivo” (Device Security).

The initial wave failed to be detected by antivirus software, with a stealthier rate of 50% in Virus Total. Because of the high detection rates, a second wave was launched in mid-October, employing a different variation with meager detection rates. The actors also broadened their targeting scope in the second wave, increasing the targeted financial institutions from one to three.

The attack starts with an unwanted SMS text message that links to a malicious website. This SMS purports to be a bank message instructing the recipient to install an anti-spam program. The link takes the victim either to a BRATA malware download page or a phishing page where they can enter their banking details. During this stage, the threat actors call the victim and claim to be a bank employee, offering assistance with the app installation.

To allow the actor to take complete control of the hacked device, the software requires various rights, including access to the Accessibility services, seeing and sending SMS, making phone calls, and recording screen activity. The perpetrators use these privileges to get access to the victim’s bank account, retrieve the 2FA code, and then conduct fraudulent activities. In this campaign, the mule accounts employed as intermediate points are based in Italy, Lithuania, and the Netherlands. 

Because this is a mobile campaign, desktop users are not infected to reduce the reach of potential victims. The website will not be viewed if you try opening the link in the SMS on a PC or laptop. This is a straightforward technique of verifying the legitimacy of incoming communications. 

Second, no bank ever recommends installing any software other than the bank’s official e-banking app, which is available on the Play Store/App Store and can be accessed through the bank’s official website.

Lastly, pay attention to the type of permission required when installing an app and examine its relation to the program’s operation. If an app requests too many permissions that aren’t linked to its purpose, don’t install it.

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.