BRATA, an Android malware, has added new and dangerous features to its latest version that include GPS tracking, the capacity to use multiple communication channels. It also has a function that performs a factory reset on the device to wipe all traces of malicious activity.
BleepingComputer reports that BRATA was first spotted by Kaspersky back in 2019 as an Android RAT (remote access tool) and mainly targeted Brazilian users.
In December 2021, a report by Cleafy underscored the emergence of the malware in Europe, where it was targeting e-banking users and stealing their credentials. Cleafy analysts continued to monitor BRATA for new features, and in a new report, illustrate how the malware continues to evolve.
The latest versions of BRATA now target e-banking users based in the UK, Poland, Italy, Spain, China, and Latin America. Variants focus on different banks with dedicated overlay sets, languages, and different apps to target specific audiences.
The authors use similar obfuscation techniques in all versions, such as wrapping the APK file into an encrypted JAR or DEX package. This obfuscation successfully bypasses antivirus detections. On that front, BRATA now actively seeks signs of AV presence on the device and attempts to delete the detected security tools before proceeding to the data exfiltration step.
The best way to avoid infections by Android malware is to install apps from the Google Play Store. Users should avoid APKs from other non-authorised websites, and always scan them with an AV tool. During installation, we need to pay close attention to the requested permissions and avoid granting the ones that appear unnecessary for the app’s core functionality. We also have to monitor battery consumption and network traffic volumes so that we can identify any inexplicable spikes that may be attributed to malicious processes running in the background.