The most recent version of the Android virus known as BRATA now has several new and hazardous capabilities, such as GPS tracking, the ability to use numerous communication channels, and a tool that wipes all evidence of malicious activity from the device by performing a factory reset.

Kaspersky originally identified BRATA as an Android RAT (remote access tool) in 2019 that mostly targeted Brazilian users.

A Cleafy report from December 2021 highlighted the malware’s appearance in Europe, where it was observed to target customers of online banking services and steal their credentials with the help of con artists acting as bank customer care representatives.

Cleafy analysts kept an eye out for new features in BRATA, and in a new research released today, they show how the virus is still evolving.

versions with modifications for various audiences
The most recent iterations of the BRATA virus currently target e-banking customers in China, Latin America, the UK, Poland, Italy, and Spain.

With various overlay sets, languages, and even alternative applications to target particular populations, each version focuses on a different bank.

In all versions, the developers employ comparable obfuscation strategies, such as enclosing the APK file in an encrypted JAR or DEX package.

The VirusTotal scan below shows how effectively this obfuscation avoids antivirus detections.

On that front, before moving on to the data exfiltration process, BRATA now actively looks for indicators of AV presence on the device and tries to erase the discovered security tools.

new capabilities

The keylogging functionality, which is a new feature in the most recent BRATA versions, was discovered by Cleafy researchers and adds to the current screen capturing capabilities.

All new variations also have GPS monitoring, however researchers are unsure of its specific use.

The performance of factory resets, which the actors do under the following circumstances, is the scariest of the new malevolent features.

The fraudulent transaction has been successfully finished after the breach (i.e. credentials have been exfiltrated).

It has been discovered by the programme that it operates in a virtual environment, perhaps for analysis.
The death switch used by BRATA is a factory reset, which wipes the device and increases the risk of a victim experiencing an unexpected and permanent loss of data.

Finally, BRATA now supports HTTP and WebSockets and has provided new channels for data exchange with the C2 server.

A direct, low-latency route that is perfect for in-the-moment communication and live manual exploitation is provided by the use of WebSockets for the actors.

Additionally, because WebSockets don’t need to send headers with each connection, less suspicious network traffic is generated, which reduces the likelihood of being discovered.

basic safety precautions

BRATA is only one of several sneaky RATs and Android banking trojans that target users’ banking credentials that are out there.

Installing applications from the Google Play Store, avoiding APKs from dubious sources, and always scanning them with an AV programme before opening them are the best strategies to prevent getting infected by Android malware.

Pay close attention to the permissions that are sought during installation and don’t allow those that don’t seem required for the app’s primary functions.

Finally, keep an eye on your battery life and network traffic levels to spot any sudden spikes that can be caused by malicious activities that are operating in the background.