BRATA Android Trojan Returns with Fury

Share this blog

Marking its most aggressive comeback to the Android ecosystem since its discovery in 2019, the BRATA Android malware has targeted global victims and their banking applications with new tricks up its sleeve.

First discovered targeting Brazilian Android users in 2019 by Kaspersky, the remote access trojan (RAT) has been updated, targeting more potential victims and adding a kill switch to the mix to cover its malicious tracks. After the malware has infected and successfully conducted a wire transfer from the victim’s banking app, it will force a factory reset on the victim’s device.

BRATA spread to victims through phishing text messages disguised as banking alerts. Recipients were then socially engineered to download a specially designed app and then further tricked into installing the banking trojan.

Like many other Android malware, BRATA relies on social engineering and a victim’s trust to enable access and permission for the app, allowing it to act as the device’s admin. This step allows BRATA to impact security controls, monitor the screen, text inputs, and ultimately enact the factory reset after the money has been stolen from the victim. With this control and capability, BRATA can also capture any multi-factor authentication messages and inputs, bypassing security controls within the banking app.

While BRATA Android malware was initially designed to target Brazilian victims and their banking applications, the newest version targets victims on a global scale, from Europe to the US and down into Latin America.

At this time, samples of BRATA have not been distributed through Google Play or other official Android stores.

Steps to Protection

Victims of BRATA Android malware are advised to change all relevant banking and utility passwords and conduct a complete factory reset of their Android devices. It is highly recommended not to restore the device from a backup; it is best practice to reload and download all relevant applications. Victims using their devices as part of an enterprise bring your own device (BYOD) policy are advised to immediately contact their IT administrator and security team, notifying them of the potential breach.

Zimperium vs. BRATA Android Malware

Zimperium customers are protected against all known samples of BRATA Android malware through the on-device z9 Mobile Threat Defense engine, which identifies if any app is malicious, including zero-day malware.

Zimperium on-device phishing classifiers detect the malicious BRATA-delivering domains with advanced machine learning-based technology. Zimperium zIPS blocks the malicious URL, preventing attackers from luring a potential victim to a targeted phishing site.

To ensure your environment is protected from these two variants and attack vectors, we recommend a quick risk assessment. Inside zConsole, admins can review which apps are side-loaded onto the device, increasing the attack surface and leaving data and users at risk. After this, admins can identify and address which devices allow for installation from “unknown sources,” i.e., third-party app stores.

Not a Zimperium customer? Contact us today for a free mobile risk assessment.

Indicators of Compromise

  • 4cdbd105ab8117620731630f8f89eb2e6110dbf6341df43712a0ec9837c5a9be
  • d9bc87ab45b0c786aa09f964a8101f6df7ea76895e2e8438c13935a356d9116b
  • f9dc40a7dd2a875344721834e7d80bf7dbfa1bf08f29b7209deb0decad77e992
  • e00240f62ec68488ef9dfde705258b025c613a41760138b5d9bdb2fb59db4d5e
  • 2846c9dda06a052049d89b1586cff21f44d1d28f153a2ff4726051ac27ca3ba7

About Zimperium

Zimperium, the global leader in mobile security, offers the only real-time, on-device, machine learning-based protection against Android, iOS, and Chromebook threats. Powered by z9, Zimperium provides protection against device, network, phishing, and malicious app attacks. For more information or to schedule a demo, contact us today.

Recommended Reading

The State of Browser Extension Malware

Share this blog

Share this blogIt is time for us to change how we think about malware. No longer is it limited to one specific operating system or device type. Like with phishing attacks, malware developers have been working on malware that can impact a broader range of systems to increase the number […]

The State of Mobile App Security: Key Takeaways from 2022 Threat Report

Share this blog

Share this blogOver the last few years, a major shift has occurred in how we use mobile devices and apps. Fundamentally, we continue to use our smartphones more and more. In the process, mobile apps continue to collect more sensitive personal and corporate data, while at the same time, mobile […]

2022 Global Mobile Threat Report: Key Insights on the State of Mobile Security

Share this blog

Share this blog  What’s the mobile security landscape like today, how has it changed, and what can security teams expect over the course of 2022? To provide answers, we’ve recently published our 2022 Global Mobile Threat Report. This report provides a comprehensive look at the landscape and its evolution and […]

Richard Melick has spent over a decade advancing through the security industry with his considerable experience and considerable focus on the stories surrounding ransomware, hacking, and cyber attacks. He has been a security speaker on five continents and has even advised royalty on how to make and distribute ransomware.