The operators behind BRATA have once again added more capabilities to the Android mobile malware in an effort to make their attacks on financial apps more stealthy.
“In effect, the modus operandi now fits into an Advanced Persistent Threat (APT) activity pattern,” said Italian cybersecurity firm Cleafy. said in a report from last week. “This term is used to describe an attack campaign in which criminals establish a long-term presence on a targeted network to steal sensitive information.”
An acronym for “Brazilian Remote Access Tool Android”, BRATA was the first detected wild in Brazil in late 2018, before making its first appearance in Europe last April, masquerading as antivirus software and other common productivity tools to trick users into downloading them.
The change in attack pattern, which reached new highs in early April 2022, means that the malware will be modified to hit a specific financial institution at a time and only move to another bank after the victim starts taking countermeasures against the threat.
The rogue apps also include new features that allow it to impersonate the financial institution’s login page to collect credentials, access text messages, and a second-stage payload (“unrar.jar”) from a remote server sideload to log events on the compromised device.
“The combination of the phishing page with the ability to receive and read the victim’s SMS could be used to carry out a full-blown Account Takeover (ATO) attack,” the researchers said.
In addition, Cleafy said it found a separate sample Android app package (“SMSAppSicura.apk”) that used the same command-and-control (C2) infrastructure as BRATA to transfer text messages, indicating that the threat actors testing different methods to increase their reach.
The SMS stealer app is said to target users in the UK, Italy and Spain specifically, with the aim of intercepting and exfiltrating all incoming messages related to one-time passwords sent by banks.
“The first malware campaigns were distributed via fake antivirus or other common apps, while during the campaigns, the malware is the turn of an APT attack on the customer of a specific Italian bank,” the researchers said.
“They usually focus for a few months on delivering malicious applications that target a specific bank and then another target.”