A strain of Android malware, known for its attacks on the Google Play Store, has been spotted targeting online banking login pages, in what experts see as a long-term shift in strategy by its developers.
The Brazilian Remote Access Tool (BRATA) first emerged in 2018, targeting Android users with fake antivirus apps and similar security software in an attempt to steal credentials.
Mimecast’s Total Economic Impact™
Cost savings and business benefits from using Mimecast with Microsoft 365
However, new attacks suggest that the group behind the malware have turned to directly targeting financial institutions, trying to put fake login pages in front of users trying to access online banking services.
The new variant was reported by cybersecurity organization Cleafy, which provided screenshots of a new phishing page for BRATA that mimics a leading bank’s login field, asking users to enter their PIN code and customer number.
“They typically focus on delivering malicious applications targeted at a specific bank for a few months and then at another target,” Cleafy explained in a blog post about the discovery.
Social engineering moves by specific bank customers indicate that BRATA’s threat actors are organizing their target pool. Formerly located in South America, efforts to steal financial information have resulted in a shift in focus to users in mainland Europe and the UK, with Italy-based Cleafy discovering the variant through increased activity in the region.
The evolution also saw the introduction of new features, which allow the strain to request SMS, GPS, and device management permissions. Additionally, during installation, an event logging plugin titled “unrar.jar” is downloaded from the BRATA (C2) command and control framework. Cleafy expressed concern that these additions “could be used to perform a full account takeover (ATO) attack.”
At the time of writing, the targeted devices do not appear to be exchanging information with the threat actors behind the malware, and this may indicate that the latest BRATA.A variant is still under development, researchers say.
However, the organization has already identified a separate SMS theft app connected to the BRATA C2 infrastructure, also targeting users in mainland Europe and the UK. As threat actors test new attack vectors bound by a common framework, there are concerns that once active, this variant could prove effective in taking control of users’ financial accounts.
For this reason, Cleafy has assigned BRATA Advanced Persistent Threat (APT) status, which they define as “an attack campaign in which criminals establish a long-term presence on a targeted network to steal sensitive information.” .
As malware evolves to deceive in more sophisticated ways, it is important that users keep up to date with threat prevention tactics and only download apps from trusted sources.
Integrate innovation, intelligence and sustainability into your industrial processes, with the cloud
EMEA Manufacturing and Industry Symposium 2022
Enabling Safe Blended Learning in Schools
The importance of raising security awareness among key players
Access new levels of creative freedom
Discover the advantages of 3D-aided design
Sharpen your competitive edge in manufacturing
Smarter asset management