Android malware BRATA attacks mobile banking users

Security researchers warn of the rising threat that BRATA trojan poses to online banking. The malware for Android devices was first discovered in 2019. BRATA provided hackers with remote access to victims’ mobile devices, mainly in Brazil. Later the malware was updated. In late 2021 it was spotted actively attacking online banking users in Europe. New versions began to appear, each targeting a specific banking app. The malware creates an overlay on top of legitimate banking applications to intercept login credentials.

The secret of BRATA’s success is that the malware requests a high level of access during installation, including super administrator rights. As a result, hackers get the full range of privileges and can perform any action in the operating system. After gaining full control over the system, attackers can modify and delete system files and folders.

BRATA spreads mainly through fake text messages from banks. Such a message prompts you to install an application that performs critical security functions: It allegedly ​protects against financial theft and secures all online bank operations. This is often accompanied by a call, supposedly from the bank’s security service, the representative of which draws attention to the text message, asks to install the program for security reasons, and offers advice on technical issues. At this point, the attacker’s top priority is to get the user to install the application and grant it a high level of privileges, including super administrator rights, permissions to view notifications and make screenshots of credentials, as well as an ability to hijack the second authentication factor, etc.

A high level of privileges also gives the attackers the option to perform a hard reset, which restores the operating system to factory defaults and deletes all user information. Security researchers claim that hackers use this new feature in two cases: after a successful BRATA attack and required user data transfer or when BRATA detects analysis by security software. This action prevents the transfer of data to the research labs of the security software developers to slow down the update of the antivirus signature analysis database. As a result, end-users do not receive security updates in time, while the hackers get an opportunity to attack more users.

In addition, BRATA developers use obfuscation techniques to avoid detection by antivirus programs. The malware attempts to remove antivirus software if it is installed on the victim’s device and then proceeds to steal data. To avoid getting infected with BRATA, you need to keep certain security rules in mind. Namely, you should only install apps from trusted sources, such as Google Play.