Security researchers at Cleafy have discovered a new variant of BRATA with additional classes that can execute specific functions on an infected device. According to the new report, the trojan can now recreate the login page of a “famous Italian bank” and trick users to enter their credentials there. The threat actors can then use the credentials for a bigger attack at a later stage. Moreover, it can intercept incoming messages such as two-factor authentication (2FA) codes to completely take over the account. The threat actors are also equipping BRATA with the capabilities to obtain data from other apps installed on a device. It can acquire GPS information too, as well as gain device management permissions. Additionally, the trojan can sideload another code on the device that can perform Event Logging. On top of this, the people behind BRATA also seem to be developing Android malware disguised as a messaging app. They may be planning to use this app to steal contacts as well as messages containing 2FA codes and one-time passwords (OTP). This app is targeted in the UK, Spain, and Italy while the new variant of BRATA is spreading across Europe too.
BRATA targets customers of one bank at a time
As said earlier, BRATA has been affecting Android devices since 2019. As a banking trojan, it originally targeted customers from Brazilian banks only. But over time, it has spread across various European countries too. The program enters a victim’s device through a phishing link sent via fraudulent messages purporting to be from a bank. Clicking that link would download BRATA on the device after which it begins devastating attacks. It can steal online-banking credentials and intercept SMS 2FA codes, essentially enabling it to transfer money from your account without your knowledge. After the completion of the transfer, the trojan performs a factory reset of the device to wipe out any evidence of its existence. The factory reset is also performed if the device’s security software detects the trojan. Essentially, BRATA ensures that users remain unaware of its presence on their devices. Cleafy researchers have discovered that BRATA only targets a “specific financial institution” at a time. The threat actors switch to another bank once their targeted victims actively implement countermeasures against the trojan. At this point, they move away from the spotlight. But they come back again stronger than ever, with a new target bank and strategies. “The modus operandi now fits into an Advanced Persistent Threat (APT) activity pattern. This term is used to describe an attack campaign in which criminals establish a long-term presence on a targeted network to steal sensitive information,” the researchers warn.