This Android banking trojan is getting meaner

Woman using smartphone.  The concept of using the phone is essential in everyday life.

Image: Getty Images/iStockphoto

A nasty Android banking Trojan best known for wiping smartphones to cover its tracks has gained several new features to improve its ability to phishing online banking credentials, intercept SMS two-factor authentication codes, and more.

The BRATA or the ‘Brazilian Remote Access Tool, Android’ has been circulating since 2019, initially as spyware, but later became a banking trojan.

Researchers from Cleafy, an Italian cybersecurity firm, last year discovered that the makers of BRATA had started abusing Android factory reset to prevent victims from discovering, reporting and preventing unauthorized transfers.

The factory reset was performed after a successful illegal transfer or when the malware detected analysis by installed security software.

BRATA originally only targeted customers of Brazilian banks, but Cleafy reported that it has recently started targeting customers of UK, Spanish and UK banking brands.

The malware was distributed via fraudulent text messages purportedly from a target’s bank, but which in reality contained a link that would download BRATA.

TO SEE: The best 5G phones: which flagship comes out on top?

According to Cleafy researchers, a new variant spreading across Europe, with new phishing pages that impersonate targeted banks, new methods for obtaining permissions to access GPS location data, and new ways to send and receive text messages and to obtain device management permissions. to obtain. It was also given the ability to sideload second-stage malware from its command and control server to perform event logging.

The combination of the phishing pages and the ability to receive and read the victim’s SMS could be used to take over a victim’s bank account, Cleafy notes.

Cleafy discovered a related text message stealing app that shared code with the BRATA malware. They think this app is used to collect contacts from devices in UK, Italy and Spain.

The malicious app asks the user to change the default messaging app to the malicious app to intercept incoming messages, including two-factor authentication codes or one-time passcodes.

TO SEE: Six ways to stay productive when working remotely

Cleafy notes that the threat actors target customers of specific banks for a few months before moving on to customers of another target.

“The modus operandi now fits into an Advanced Persistent Threat (APT) activity pattern. This term is used to describe an attack campaign in which criminals establish a long-term presence on a targeted network to steal sensitive information,” Cleafy said.

“Threat actors behind BRATA now target a specific financial institution at a time and only change their focus once the intended victim begins to implement consistent countermeasures against them. Then they move away from the spotlight to come up with a different target and strategies of infections” , it warned.

Leave a Comment

Your email address will not be published.