{"id":18146,"date":"2022-02-02T11:13:16","date_gmt":"2022-02-02T19:13:16","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2022\/02\/02\/news-11879\/"},"modified":"2022-02-02T11:13:16","modified_gmt":"2022-02-02T19:13:16","slug":"news-11879","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2022\/02\/02\/news-11879\/","title":{"rendered":"Android malware BRATA can wipe devices"},"content":{"rendered":"<p><strong>Credit to Author: Malwarebytes Labs| Date: Tue, 01 Feb 2022 11:23:04 +0000<\/strong><\/p>\n<p>Cleafy, a cybersecurity firm specializing in online fraud, has published <a href=\"https:\/\/www.cleafy.com\/cleafy-labs\/how-brata-is-monitoring-your-bank-account\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">new details<\/a> about banking Trojan BRATA (Brazilian Remote Access Tool, Android), a known malware strain that first became widespread <a href=\"https:\/\/securelist.com\/spying-android-rat-from-brazil-brata\/92775\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">in 2019<\/a>.<\/p>\n<p>BRATA is now being used to perform factory resets on victims&#8217; machines. It&#8217;s rare for malware to damage or wipe victims&#8217; machines (there is rarely anything in it for the attackers) so what&#8217;s going on here?<\/p>\n<p>According to Cleafy, the victim&#8217;s Android device is factory reset after the attackers siphon money from the victim&#8217;s bank account. This distracts users from the crime, while removing traces or footprints that might be of interest to forensic analysts.<\/p>\n<h2>Out with the old<\/h2>\n<p>BRATA used to target Brazilian banks exclusively, but Cleafy reports that the target list has now been expanded to include banks in Italy, the UK, US, Poland, Spain, and Latin America. It has also <a href=\"https:\/\/www.cleafy.com\/cleafy-labs\/how-brata-is-monitoring-your-bank-account\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">revealed<\/a> a number of new capabilities, alongside the factory reset functonality:<\/p>\n<ul>\n<li>A GPS tracking capability<\/li>\n<li>Multiple methods of maintaining contact with command and control (C2) servers<\/li>\n<li>The ability to use a VNC (Virtual Network Computing) and keylogging to continuously monitor a victim&#8217;s bank account<\/li>\n<\/ul>\n<p>But how does such dangerous malware end up on victims&#8217; devices?<\/p>\n<h2>How BRATA is spread<\/h2>\n<p>A BRATA campaign starts off when a potential target receives an SMS claiming to be from their bank. The SMS contains a link to a website that encourages the target to download the BRATA malware. They also receive a call from an attacker, who pretends to work for the bank.<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img decoding=\"async\" data-attachment-id=\"54034\" data-permalink=\"https:\/\/blog.malwarebytes.com\/android\/2022\/02\/android-malware-brata-can-wipe-devices\/attachment\/cleafy-brata-dist\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/cleafy-brata-dist.png\" data-orig-size=\"1304,748\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"cleafy-brata-dist\" data-image-description=\"\" data-image-caption=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/cleafy-brata-dist-300x172.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/cleafy-brata-dist-600x344.png\" loading=\"lazy\" width=\"600\" height=\"344\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/cleafy-brata-dist-600x344.png\" alt=\"\" class=\"wp-image-54034\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/cleafy-brata-dist-600x344.png 600w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/cleafy-brata-dist-300x172.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/cleafy-brata-dist.png 1304w\" sizes=\"auto, (max-width: 600px) 100vw, 600px\" \/><figcaption>An illustration of the BRATA Android RAT in action (Source: <a href=\"https:\/\/www.cleafy.com\/cleafy-labs\/mobile-banking-fraud-brata-strikes-again\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Cleafy<\/a>)<\/figcaption><\/figure>\n<\/div>\n<p>The app asks for multiple permissions that, to the trained eye, would raise some red flags, and might make users reluctant to install it. <a href=\"https:\/\/www.cleafy.com\/cleafy-labs\/mobile-banking-fraud-brata-strikes-again\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">According to Cleafy<\/a>, the caller&#8217;s first job is therefore to use social engineering tactics to convince victims to install it. <\/p>\n<p>Once the app is installed, the fraudsters can remotely hijack the device whenever they want to, and can perform banking transactions without the target knowing. Not only that, the app can be used to initiate admin-level actions, such as locking the screen, changing the screen lock, and setting password rules. For the most recent BRATA strain, being an admin app also allows it to initiate a factory reset on the affected mobile device.<\/p>\n<p>A two-factor authentication (2FA) code from the bank does not protect accounts here. Through BRATA, the 2FA codes from banks are intercepted and sent to the fraudster&#8217;s command and control sever.<\/p>\n<p>Clearfy believes that current operators of the BRATA mobile malware are based in at least one country in Europe as mule accounts linked to this campaign were found in Italy, Lithuania, and the Netherlands.<\/p>\n<h3>Protect yourself from BRATA<\/h3>\n<p>The existence of this malware is a reminder to all Android users to avoid installing apps that don&#8217;t come from Google Play, and to pay attention to the permissions that apps ask for. For example, BRATA requests access to the &#8220;Erase all data&#8221; permission, and most of us don&#8217;t want apps that can do that running on our mobile devices.<\/p>\n<p>Although this version of BRATA was not found on Google Play, in the past it has been found, called out, and removed from Google&#8217;s online store. So, even when you&#8217;re using Google Play, stay vigilant and make sure to keep <a href=\"https:\/\/www.malwarebytes.com\/mobile\" target=\"_blank\" rel=\"noreferrer noopener\">your mobile antivirus<\/a> running in real time and up to date.<\/p>\n<p>IOCs:<\/p>\n<ul>\n<li>E00240F62EC68488EF9DFDE705258B025C613A41760138B5D9BDB2FB59DB4D5E &#8211; Malwarebytes detects it as <a href=\"https:\/\/blog.malwarebytes.com\/detections\/android-trojan-agent-pwscr\/\">Android\/Trojan.Agent.PWSCR<\/a><\/li>\n<li>E769EF0D011CBF3322C9E85D4CDF70AF413F021D033AED884C1431F2B7861D0D &#8211;  Malwarebytes detects it as <a href=\"https:\/\/blog.malwarebytes.com\/detections\/android-trojan-spy-agent-gppssatb\/\">Android\/Trojan.Spy.Agent.GPPSSATB<\/a><\/li>\n<li>2846C9DDA06A052049D89B1586CFF21F44D1D28F153A2FF4726051AC27CA3BA7 &#8211;  Malwarebytes detects it as <a href=\"https:\/\/blog.malwarebytes.com\/detections\/android-trojan-spy-brat\/\">Android\/Trojan.Spy.Brat.dsa<\/a><\/li>\n<li>F9DC40A7DD2A875344721834E7D80BF7DBFA1BF08F29B7209DEB0DECAD77E992 &#8211; Malwarebytes detects it as <a href=\"https:\/\/blog.malwarebytes.com\/detections\/android-trojan-spy-brat\/\">Android\/Trojan.Spy.Brat.gvmb<\/a><\/li>\n<li>4CDBD105AB8117620731630F8F89EB2E6110DBF6341DF43712A0EC9837C5A9BE &#8211; Malwarebytes detects it as <a href=\"https:\/\/blog.malwarebytes.com\/detections\/android-trojan-spy-brat\/\">Android\/Trojan.Spy.Brat.oupa<\/a><\/li>\n<li>D9BC87AB45B0C786AA09F964A8101F6DF7EA76895E2E8438C13935A356D9116B &#8211; Malwarebytes detects it as <a href=\"https:\/\/blog.malwarebytes.com\/detections\/android-trojan-spy-brat\/\">Android\/Trojan.Spy.Brat.prta<\/a><\/li>\n<li>648A5A705BBE88E52569B3774A689A82F53962E8827B143189639D48727BD159 &#8211; Malwarebytes detects it as <a href=\"https:\/\/blog.malwarebytes.com\/detections\/android-trojan-spy-spynote-dcnp\/\">Android\/Trojan.Spy.SpyNote.dcnp<\/a><\/li>\n<\/ul>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\/android\/2022\/02\/android-malware-brata-can-wipe-devices\/\">Android malware BRATA can wipe devices<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/android\/2022\/02\/android-malware-brata-can-wipe-devices\/\" target=\"bwo\" >https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><strong>Credit to Author: Malwarebytes Labs| Date: Tue, 01 Feb 2022 11:23:04 +0000<\/strong><\/p>\n<table cellpadding='10'>\n<tr>\n<td valign='top' align='center'><a href='https:\/\/blog.malwarebytes.com\/android\/2022\/02\/android-malware-brata-can-wipe-devices\/' title='Android malware BRATA can wipe devices'><img src='https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/GettyImages-1293759257.jpg' border='0'  width='300px'  \/><\/a><\/td>\n<\/tr>\n<tr>\n<td valign='top' align='left'>The BRATA Android RAT has some alarming new capabilities.<\/p>\n<p>Categories: <a href=\"https:\/\/blog.malwarebytes.com\/category\/android\/\" rel=\"category tag\">Android<\/a><\/p>\n<p>Tags: <a href=\"https:\/\/blog.malwarebytes.com\/tag\/android-banking-trojan\/\" rel=\"tag\">Android banking Trojan<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/android-malware\/\" rel=\"tag\">android malware<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/android-rat\/\" rel=\"tag\">android rat<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/brata\/\" rel=\"tag\">BRATA<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/brazilian-remote-access-tool-android\/\" rel=\"tag\">Brazilian Remote Access Tool Android<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/cleafy\/\" rel=\"tag\">Cleafy<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/gps-tracking\/\" rel=\"tag\">GPS tracking<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/keylogging\/\" rel=\"tag\">keylogging<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/persistent-c2-communication\/\" rel=\"tag\">persistent C2 communication<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/phishing\/\" rel=\"tag\">phishing<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/smishing\/\" rel=\"tag\">smishing<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/vnc\/\" rel=\"tag\">vnc<\/a><\/p>\n<table width='100%'>\n<tr>\n<td align=right>\n<p><b>(<a href='https:\/\/blog.malwarebytes.com\/android\/2022\/02\/android-malware-brata-can-wipe-devices\/' title='Android malware BRATA can wipe devices'>Read more&#8230;<\/a>)<\/b><\/p>\n<\/td>\n<\/tr>\n<\/table>\n<\/td>\n<\/tr>\n<\/table>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\/android\/2022\/02\/android-malware-brata-can-wipe-devices\/\">Android malware BRATA can wipe devices<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10488,10378],"tags":[10462,17079,11254,18827,24764,24765,24766,24767,24768,24769,3924,12795,12364],"class_list":["post-18146","post","type-post","status-publish","format-standard","hentry","category-malwarebytes","category-security","tag-android","tag-android-banking-trojan","tag-android-malware","tag-android-rat","tag-brata","tag-brazilian-remote-access-tool-android","tag-cleafy","tag-gps-tracking","tag-keylogging","tag-persistent-c2-communication","tag-phishing","tag-smishing","tag-vnc"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/18146","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=18146"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/18146\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=18146"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=18146"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=18146"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}