BRATA Android Trojan Returns with Fury

Share this blog

Marking its most aggressive comeback to the Android ecosystem since its discovery in 2019, the BRATA Android malware has targeted global victims and their banking applications with new tricks up its sleeve.

First discovered targeting Brazilian Android users in 2019 by Kaspersky, the remote access trojan (RAT) has been updated, targeting more potential victims and adding a kill switch to the mix to cover its malicious tracks. After the malware has infected and successfully conducted a wire transfer from the victim’s banking app, it will force a factory reset on the victim’s device.

BRATA spread to victims through phishing text messages disguised as banking alerts. Recipients were then socially engineered to download a specially designed app and then further tricked into installing the banking trojan.

Like many other Android malware, BRATA relies on social engineering and a victim’s trust to enable access and permission for the app, allowing it to act as the device’s admin. This step allows BRATA to impact security controls, monitor the screen, text inputs, and ultimately enact the factory reset after the money has been stolen from the victim. With this control and capability, BRATA can also capture any multi-factor authentication messages and inputs, bypassing security controls within the banking app.

While BRATA Android malware was initially designed to target Brazilian victims and their banking applications, the newest version targets victims on a global scale, from Europe to the US and down into Latin America.

At this time, samples of BRATA have not been distributed through Google Play or other official Android stores.

Steps to Protection

Victims of BRATA Android malware are advised to change all relevant banking and utility passwords and conduct a complete factory reset of their Android devices. It is highly recommended not to restore the device from a backup; it is best practice to reload and download all relevant applications. Victims using their devices as part of an enterprise bring your own device (BYOD) policy are advised to immediately contact their IT administrator and security team, notifying them of the potential breach.

Zimperium vs. BRATA Android Malware

Zimperium customers are protected against all known samples of BRATA Android malware through the on-device z9 Mobile Threat Defense engine, which identifies if any app is malicious, including zero-day malware.

Zimperium on-device phishing classifiers detect the malicious BRATA-delivering domains with advanced machine learning-based technology. Zimperium zIPS blocks the malicious URL, preventing attackers from luring a potential victim to a targeted phishing site.

To ensure your environment is protected from these two variants and attack vectors, we recommend a quick risk assessment. Inside zConsole, admins can review which apps are side-loaded onto the device, increasing the attack surface and leaving data and users at risk. After this, admins can identify and address which devices allow for installation from “unknown sources,” i.e., third-party app stores.

Not a Zimperium customer? Contact us today for a free mobile risk assessment.

Indicators of Compromise

  • 4cdbd105ab8117620731630f8f89eb2e6110dbf6341df43712a0ec9837c5a9be
  • d9bc87ab45b0c786aa09f964a8101f6df7ea76895e2e8438c13935a356d9116b
  • f9dc40a7dd2a875344721834e7d80bf7dbfa1bf08f29b7209deb0decad77e992
  • e00240f62ec68488ef9dfde705258b025c613a41760138b5d9bdb2fb59db4d5e
  • 2846c9dda06a052049d89b1586cff21f44d1d28f153a2ff4726051ac27ca3ba7

About Zimperium

Zimperium, the global leader in mobile security, offers the only real-time, on-device, machine learning-based protection against Android, iOS, and Chromebook threats. Powered by z9, Zimperium provides protection against device, network, phishing, and malicious app attacks. For more information or to schedule a demo, contact us today.

Recommended Reading
Richard Melick
Mobile Threat Intelligence. View the author's experience and accomplishments on LinkedIn.

Get started with Zimperium today