A bank fraud trojan that has been targeting Android users for three years has been updated to create even more grief. In addition to draining bank accounts, the Trojan can now activate a kill switch that performs a factory reset and cleans infected devices.
Brata was first documented in a post by security firm Kaspersky, which reported that the Android malware had been circulating since at least January 2019. The malware spread primarily through Google Play, but also through third-party marketplaces, push notifications on compromised sites, sponsored links on Google , and messages delivered via WhatsApp or SMS. At the time, Brata was targeting people with accounts from Brazilian banks.
Covers his malicious tracks
Now Brata is back with a host of new options, the most important of which is the ability to perform a factory reset on infected devices to delete any trace of the malware after an unauthorized bank transfer has been attempted. Security firm Cleafy Labs, which first reported the kill switch, said other features recently added to Brata include GPS tracking, improved communication with control servers, the ability to continuously monitor victims’ banking apps and the ability to target bank accounts in additional countries. The Trojan now works with banks in Europe, the United States and Latin America.
“First discovered targeting Brazilian Android users in 2019 by Kaspersky, the Remote Access Trojan (RAT) has been updated, targeted at more potential victims and added a kill switch to the mix to cover its malicious traces,” said security firm Zimperium in a post confirming Cleafy’s results. “After the malware has infected and completed a bank transfer from the victim’s bank app, it will force a factory reset on the victim’s device.”
This time, there is no evidence that the malware spread through Google Play or other official third-party Android stores. Instead, Brata spreads through phishing text messages disguised as bank alerts. The new possibilities circulate in at least three variants, all of which were hardly discovered until Cleafy first discovered them. The hide is at least in part the result of a new downloader used to distribute apps.
In addition to the kill switch, Brata is now seeking permission to access the locations of infected devices. While Cleafy researchers said they found no evidence in the code that Brata uses location tracking, they speculated that future versions of the malware may start using the feature.
The malware has also been updated to maintain a lasting connection with the attacker’s command and control server (or C2) in real time using a web socket.
“As shown in Figure 17 [below]the webSocket protocol is used by the C2, which sends specific commands to be executed on the phone (eg whoami, byebye_format, screen_capture, etc.), “wrote Cleafy researchers.” As far as we know, the malware ( in connection perspective) in a standby mode most of the time until C2 issues commands instructing the app for the next step. “
The new features underscore the ever-evolving behavior of crime apps and other forms of malware as their authors strive to increase the reach of the apps and the revenue they generate. Android phone users should stay alert to malicious malware by limiting the number of apps they install, ensuring that apps only come from trusted sources, and installing security updates quickly.