BRATA malware has evolved to target online banking services across Europe, researchers warn


A strain of Android malware, known for its attacks on the Google Play Store, has been spotted targeting online banking login pages, in what experts see as a long-term shift in strategy by its developers.

The Brazilian Remote Access Tool (BRATA) first emerged in 2018, targeting Android users with fake antivirus apps and similar security software in an attempt to steal credentials.

Related Resource

Mimecast’s Total Economic Impact™

Cost savings and business benefits from using Mimecast with Microsoft 365

Free download

However, new attacks suggest that the group behind the malware have turned to directly targeting financial institutions, trying to put fake login pages in front of users trying to access online banking services.

The new variant was reported by cybersecurity organization Cleafy, which provided screenshots of a new phishing page for BRATA that mimics a leading bank’s login field, asking users to enter their PIN code and customer number.

“They typically focus on delivering malicious applications targeted at a specific bank for a few months and then at another target,” Cleafy explained in a blog post about the discovery.

A screenshot of a fake Italian bank login screen asking users to enter a customer number and PIN

Social engineering moves by specific bank customers indicate that BRATA’s threat actors are organizing their target pool. Formerly located in South America, efforts to steal financial information have resulted in a shift in focus to users in mainland Europe and the UK, with Italy-based Cleafy discovering the variant through increased activity in the region.

The evolution also saw the introduction of new features, which allow the strain to request SMS, GPS, and device management permissions. Additionally, during installation, an event logging plugin titled “unrar.jar” is downloaded from the BRATA (C2) command and control framework. Cleafy expressed concern that these additions “could be used to perform a full account takeover (ATO) attack.”

At the time of writing, the targeted devices do not appear to be exchanging information with the threat actors behind the malware, and this may indicate that the latest BRATA.A variant is still under development, researchers say.

However, the organization has already identified a separate SMS theft app connected to the BRATA C2 infrastructure, also targeting users in mainland Europe and the UK. As threat actors test new attack vectors bound by a common framework, there are concerns that once active, this variant could prove effective in taking control of users’ financial accounts.

For this reason, Cleafy has assigned BRATA Advanced Persistent Threat (APT) status, which they define as “an attack campaign in which criminals establish a long-term presence on a targeted network to steal sensitive information.” .

As malware evolves to deceive in more sophisticated ways, it is important that users keep up to date with threat prevention tactics and only download apps from trusted sources.

Featured Resources

Integrate innovation, intelligence and sustainability into your industrial processes, with the cloud

EMEA Manufacturing and Industry Symposium 2022

Register now

Enabling Safe Blended Learning in Schools

The importance of raising security awareness among key players

Free download

Access new levels of creative freedom

Discover the advantages of 3D-aided design

Free download

Sharpen your competitive edge in manufacturing

Smarter asset management

Free download

Source link

Previous Online Banking Market to See Huge Growth by 2031 – Designer Women
Next Bangor Savings Bank 2022: Free Online Banking