A dangerous Android malware that tricks users into handing over sensitive financial data has evolved and added new two new severe capabilities to its arsenal — factory reset to wipe all traces of malware activity on the phone and track users via GPS. BRATA — which is short for Brazilian RAT Android — is a type of Android Remote Access Tool (RAT) that was first spotted by Kaspersky researchers in 2019. BRATA was mainly being delivered via the Google Play Store, and its variants were mainly distributed as fake updates for popular apps like WhatsApp.
Once executed, it allows a bad actor to unlock the target's phone, extract information by logging their keystrokes, and even turn off the screen while secretly running tasks in the background. Initially spotted wreaking havoc in Brazil, malicious parties weaponizing BRATA were also observed sending messages to targets in Italy last year. The fake SMS led users to a website where they were asked to download a fake anti-spam app to get the malware package on the victim's phone or directed them to a website where they were asked to enter their financial information.
Now, the cybersecurity experts over at Cleafy say BRATA has evolved to add some scary new abilities. First, the malware can reset the victim's phone to factory settings, deleting any trace of infection and unauthorized transactions. The notorious Pegasus spyware that was recently deployed to spy on activists, journalists, and dissidents in multiple countries, also has a self-destruct feature to remove traces of surveillance. In BRATA's case, Cleafy identified three strains with BRATA.A said to be capable of GPS tracking and executing a factory reset.
Spreading Wider, Getting Scarier
The device reset capability of BRATA.A is essentially a kill switch for the malware that kicks into action in two scenarios. The first scenario is when a bad actor has successfully committed a banking fraud, ensuring that the victim has no clue regarding a financial attack targeting them. The second scenario is when a malicious party knows that the malware application has not been installed natively on the phone and is instead running in a virtual enclosure. Again, the goal is to prevent a cybersecurity expert from studying its activity in real-time.
Regarding GPS tracking, researchers studying BRATA's evolved version say that location permission by the malicious app is requested at the time of installation. But so far, they haven't come across any signs of location tracking being weaponized. However, it is very much possible that it can be activated soon to know a victim's whereabouts and execute other forms of attacks such as cardless withdrawals from ATMs. The BRATA.B variant, on the other hand, performs keylogging to store all the keystrokes that users type when using a banking application. And as if the threat was not enough, the BRATA malware's footprints have now been discovered in more countries, including the U.K. and Poland.
Source: Cleafy