BRATA is an Android Banking trojan aimed at making illegal wire transfers. It has been under campaign since 2019 when Kaspersky discovered it.
The new features of this trojan are:-
- Factory reset – Hackers are using this to erase their footprints
- GPS tracking
- Keeping persistent connections with multiple communication channels (TCP and HTTP)
- VNC and keylogging to monitor bank applications
Researchers at Cleafy Labs reported that this new variant of BRATA started last December. A downloader was used to distribute the trojan to hide from antivirus. The affected list of countries now includes the UK, Latin America, Poland, and Italy.
Three Primary Variants of BRATA
Cleafy researchers said that they have intercepted three new variants of BRATA.
BRATA.A – Most used by attackers in recent times. Threat Actors only added two new features, GPS tracking, and Factory Resetting.
BRATA.B – Similar to the BRATA.A version with the same capabilities. Partial Obfuscation of code and
Phishing pages overlay on banking pages to steal Social Security Number or PIN is the new features of this variant. The communication between Command and Control server and the malicious app seems to be in clear text whereas BRATA.A used zlib library.
BRATA.C – Uses an initial dropper to download the real malicious app. Unlike other banking trojans, BRATA uses minimal app to download the core BRATA app (.apk). Once the victim downloads the downloader app, it just takes one accept permission to download the malicious app. Once the victim clicks on install, a malicious app from the C&C server is downloaded which makes the device vulnerable with two malicious applications.
BRATA uses VNC module to retrieve information from the victim’s device by capturing images. This permission is achieved when the user installs the downloader. Once Threat actors gain access to the android device of the victims, they use “get_screen” command from the c2 server to get screenshots of the device.
Bank Account Monitoring
The BRATA.B version has the keylogging functionality. It monitors the keystrokes of the victims when they visit their banking application. Threat actors configure it in such a way that it only captures the keystrokes on specific text fields and on specific banking applications.
It has been observed that no request was made with this feature. This leads to believe that this feature is under development. An interesting feature about GPS is that it can be easily disguised as thirty party application.
This feature is used to erase all the traces of the hacking after a successful wire transfer. It also acts as a kill switch for this malware. Once victim’s see their device being formatted unknowingly, the victim will be left with a confusion on what went wrong.
Further digging up gave another interesting thing. The trojan is programmed in such a way that it can erase or uninstall any antivirus that are present in the device.
Most of the operations are carried out by the C2 server. The detailed information of this trojan is still being unveiled.