Spain targeted by BRATA? The malware is back in the spotlight, and is growing to the point of becoming a real advanced persistent threat (APT).
Let’s see who this malware is.
Who is Brata?
BRATA stands for Brazilian Remote Access Tool Android, a Trojan horse that appeared in Brazil and was discovered by Kaspersky in January 2019. The malware was designed to spoof the banking details of Android user victims.
Its attack vector was phishing (or smishing), via notifications, SMS, WhatsApp, rogue URLs.
The malware spread on the Google Play Store as a fake WhatsApp update, resulting in more than 10,000 downloads, about 500 users per day were targeted.
In particular, BRATA exploited the WhatsApp vulnerability CVE-2019-3568 allowing remote code execution on an Android or iPhone phone through a simple WhatsApp call attempt.
In June 2021, a variant appeared in Europe, specifically in Italy, in the form of fake anti-spam applications (“Sicurezza Dispositivo” or Device Security). In this campaign, the gang targeted a financial institution with a stealth rate in Virus Total of 50%. This led to a second variant in mid-October. This time three institutes were targeted, with an even lower detection rate.
The modus operandi consisted in sending a fake bank alert by SMS leading to a fake site, and, through a fraudulent support operator, to obtain control of the victim’s device to perform an illegitimate bank transaction.
In January 2022, BRATA returns to the malware scene with a more aggressive version aiming to establish itself in the long term, allowing it to be qualified as an APT (Advanced Persistent Threat). New features – such as access to GPS location, the presence of a keylogger and a VNC module – have been added to BRATA’s modus operandi. The target countries are the United Kingdom, Poland, Italy, China and Spain.
The BRATA banking Trojan can now reset the smartphone after performing illicit banking steps in order to erase any evidence.
How does it work?
This malware tricks the victim into entering their online banking credentials and then intercepts the two-factor authentication.
To do so, it uses an SMS impersonating a bank that redirects to a website.
The BRATA APK is hidden in an encrypted JAR or DEX package, allowing it to monitor banking applications in real time and track geolocation .
Its particularity is that it is almost undetectable by an antivirus, and the best part is that once the malware is installed, the antivirus is uninstalled and the security settings are disabled. The malware can then perform a reset on the device to erase all traces of activity, thus concealing all evidence of the illegal transfer made from the bank account.
All the novelty lies there, in its ability to clean devices, to format the phone.
The user sees his photos, videos, accounts and other data disappear.
TD’s input for more technical details.
In a phishing SMS disguised as a bank alert, the victim is asked to click on a fraudulent link to access their account. The new version of BRATA mimics the authentication homepage of the banking site. With the ability to read SMS messages, BRATA is able to intercept the message allowing two-factor authentication. The malware downloads an encrypted JAR or DEX document from the C2 server. Once installed on the device, it can uninstall the antivirus and thus persist on it.
BRATA’s targeting methodology is singular as it attacks one specific financial institution at a time. Furthermore, in addition to the ability to read SMS messages, BRATA’s new variant allows the device to be reset to the factory configuration and thus erase traces of its presence. It would also have the ability to access the phone’s geolocation data and monitor banking applications in real time.
TEHTRIS Threat Research analysts took specific strains to test BRATA’s behavior on Android phones and on Android sandboxes.
At the behavioral level, the application tries for example:
- Make it impossible to use the administrator account (via le DevicePolicyManager and the removeActiveAdmin function)
- Force a new password to unlock the phone (via the DevicePolicyManager and the resetPassword function)
- Register and start services
- And many other classic actions for Android backdoor
In the interesting little details, we see that the requested permissions (Reference : https ://developer.android.com/reference/android/Manifest.permission) are quite numerous on one of the strains studied at TEHTRIS.
We find the geolocation seen previously, but also what to control everything that is necessary for a hacker remotely (read SMS, call, modify the phone, etc.).
o android.permission.WRITE_SETTINGS: Allows an application to modify the system's settings data. Malicious applications can corrupt your system's configuration. o android.permission.WRITE_EXTERNAL_STORAGE: Allows an application to write to the SD card. o android.permission.INTERNET: Allows an application to create network sockets. o android.permission.WAKE_LOCK: Allows an application to prevent the phone from going to sleep. o android.permission.READ_SMS: Allows application to read SMS messages stored on your phone or SIM card. Malicious applications may read your confidential messages. o android.permission.CALL_PHONE: Allows the application to call phone numbers without your intervention. Malicious applications may cause unexpected calls on your phone bill. Note that this does not allow the application to call emergency numbers. o android.permission.ACCESS_FINE_LOCATION: Access fine location sources, such as the Global Positioning System on the phone, where available. Malicious applications can use this to determine where you are and may consume additional battery power. o android.permission.SYSTEM_ALERT_WINDOW: Allows an application to show system-alert windows. Malicious applications can take over the entire screen of the phone. o android.permission.DISABLE_KEYGUARD: Allows an application to disable the key lock and any associated password security. A legitimate example of this is the phone disabling the key lock when receiving an incoming phone call, then re-enabling the key lock when the call is finished. o android.permission.MODIFY_AUDIO_SETTINGS: Allows application to modify global audio settings, such as volume and routing. o com.android.launcher.permission.WRITE_SETTINGS: Allows an application to modify the system's settings data. Malicious applications can corrupt your system's configuration. o com.android.launcher2.permission.WRITE_SETTINGS: Allows an application to modify the system's settings data. Malicious applications can corrupt your system's configuration. o com.android.launcher3.permission.WRITE_SETTINGS: Allows an application to modify the system's settings data. Malicious applications can corrupt your system's configuration. o com. mi.android.globallauncher.permission.WRITE_SETTINGS: Allows an application to modify the system's settings data. Malicious applications can corrupt your system's configuration. o android.permission.CHANGE_WIFI_STATE: Allows an application to connect to and disconnect from Wi-Fi access points and to make changes to configured Wi-Fi networks. o android.permission.WRITE_EXTERNAL_STORAGE: Allows an application to write to the SD card. o android.permission.USE_CREDENTIALS: Allows an application to request authentication tokens. o android.permission.MANAGE_ACCOUNTS: Allows an application to perform operations like adding and removing accounts and deleting their password. o android.permission.READ_PHONE_STATE: Allows the application to access the phone features of the device. An application with this permission can determine the phone number and serial number of this phone, whether a call is active, the number that call is connected to and so on. o android.permission.MOUNT_UNMOUNT_FILESYSTEMS: Allows the application to mount and unmount file systems for removable storage. o android.permission.GET_TASKS: Allows application to retrieve information about currently and recently running tasks. May allow malicious applications to discover private information about other applications. o android.permission.WRITE_SETTINGS: Allows an application to modify the system's settings data. Malicious applications can corrupt your system's configuration.
Brata in spain
The authors of BRATA, are winning Europe.
On Monday, January 24, 2022, the malware attacked all of L atine America, the United States, China, Poland, the United Kingdom, Italy and Spain.
It all starts with an SMS pretending to be bank alerts. To intercept incoming SMS messages, the application asks the user to set it as the default messaging application, while requesting permission to access contacts on the device. But this time the malware switches to another bank only after the victim starts implementing defensive measures.
Why should this latest attack worry us?
BRATA continues to evolve and requires all our vigilance. At the beginning it was a simple “malware” but now these campaigns are becoming APT attacks.
Their victims are well-targeted and strike one after another in an organized manner. The risk is now on cardless ATMs, and the target should also be refined.
In the face of this type of attack, TEHTRIS recommends a few tips such as:
- If you think your device is compromised or you want to play it safe from time to time, you can reboot your phone. Some people do this at least once a day, the idea being that it’s more complicated for some hacker tools to be persistent at startup, so rebooting removes malicious activity (don’t generalize to all threats)
- Update applications and software
- Make sure your phones and tablets are well protected
- And of course, to have a digital hygiene to avoid traps and impurities on all your equipment
You can follow our advice in our article: https://tehtris.com/en/blog/how-to-protect-yourself-from-mobile-cyber-threats
“TEHTRIS MTD, our Mobile Threat Defense solution, is able to identify malicious applications, analyze and find traces of spyware thanks to its constantly evolving knowledge base.
Every time a corporate phone protected by TEHTRIS MTD searches for a domain, every time a program is installed, the action is traced. Our solution provides monitoring of elements that are usually missed by some other solutions.