A strain of Android malware, known for its attacks on the Google Play Store, has been spotted targeting online banking login pages, in what experts say is a long-term shift in strategy by its developers .
The Brazilian Remote Access Tool (BRATA) first emerged in 2018, targeting Android users with fake antivirus apps and similar security software in an attempt to steal credentials.
Mimecast’s Total Economic Impact™
Cost savings and business benefits from using Mimecast with Microsoft 365
However, new attacks suggest that the group behind the malware have turned to directly targeting financial institutions, trying to put fake login pages in front of users trying to access online banking services.
The new variant was reported by cybersecurity organization Cleafy, which provided screenshots of a new phishing page for BRATA that mimics a leading bank’s login field, asking users to enter their PIN code and customer number.
“They typically focus on delivering malicious applications targeted at a specific bank for a few months and then at another target,” Cleafy explained in a blog post about the discovery.
Social engineering moves by specific bank customers indicate that BRATA’s threat actors are organizing their target pool. Formerly located in South America, efforts to steal financial information have resulted in a shift in focus to users in mainland Europe and the UK, with Italy-based Cleafy discovering the variant through increased activity in the region.
The evolution also saw the introduction of new features, which allow the strain to request SMS, GPS, and device management permissions. Additionally, during installation, an event logging plugin titled “unrar.jar” is downloaded from the BRATA (C2) command and control framework. Cleafy expressed concerns that these additions “could be used to perform a full account takeover (ATO) attack.”
At the time of writing, the targeted devices do not appear to be exchanging information with the threat actors behind the malware, and this may indicate that the latest BRATA.A variant is still under development, researchers say.
However, the organization has already identified a separate SMS theft app connected to the BRATA C2 infrastructure, also targeting users in mainland Europe and the UK. As threat actors test new attack vectors linked by a common framework, there are concerns that once active, this variant could prove effective in taking control of users’ financial accounts.
For this reason, Cleafy has assigned BRATA Advanced Persistent Threat (APT) status, which they define as “an attack campaign in which criminals establish a long-term presence on a targeted network to steal sensitive information.” .
As malware evolves to deceive in more sophisticated ways, it’s important that users keep up to date with threat prevention tactics and only download apps from trusted sources.
The State of Salesforce: The Future of Business
Three articles that look at the evolution of Salesforce and the future of the company
The Uphill Struggle to Migrate SAP to the Cloud May Be Over
A simplified, unified approach to delivering business transformation in the cloud
The Business Value of the Transformative Mainframe
Modernization on the mainframe
The Total Economic Impact™ of IBM FlashSystem
Cost savings and business benefits made possible by FlashSystem