Android malware BRATA strikes again with new dangerous capabilities

Android malware BRATA strikes again with new dangerous capabilities

Android malware BRATA gained new dangerous features in the latest version like GPS tracking, the ability to use various communication channels and factory reset to hide fraudulent wire transfer.

BRATA – Brazilian Remote Access Tool (RAT) Android was a spyware, which was later known to be a banking trojan. This spyware was found out by Kaspersky as banking and financial institution-targeting Android RAT (The remote access trojan) in 2019. Before this RAT reach US and Spain, it used to target only Brazil.

Cleafy published a research in December 2021 and highlighted BRATA as malware emerging across Europe. It was discovered that hackers posing as bank customer service representatives were targeting e-banking users and collecting their credentials.


Variants and Capabilities:

The BRATA trojan has been detected in three different variants so far:

Source: Cleafy
  1. BRATA.A: This variation has been most popular for the last few months and hackers included 2 more capabilities to it in December. GPS tracking of the user’s device is the first capability that is under development and the second feature is wiping out the infected device.
  2. BRATA.B is quite comparable to the first variant. The partial concealment of the code and using customized banking overlay pages to steal the PIN is what sets this variant unique from the previous one.
  3. BRATA.C :  This variant consists of a trap that attacks by downloading and executing the malicious app.

The creators of BRATA are constantly changing the malicious code to avoid antivirus software detection. “Although the majority of Android banking trojans try to obfuscate/encrypt the malware core in an external file (eg. .dex or .jar), BRATA uses a minimal app to download in a second step the core BRATA app (.apk),” the Cleafy team added.

“When the victim clicks on the install button, the downloader app sends a GET request to the command-and-control (C2) server to download the malicious .APK,” they explained. “At this point, the victim has two malicious apps installed on their device.”

After BRATA installs a malicious app and executes the code, the accessibility permissions had been granted and can take control over the compromised device. Here’s a list of commands discovered by McAfee in all of the payloads :

  • lock screen Theft (PIN/Password/Pattern)
  • Screen Capture: Screenshots are sent to a remote server after the device’s screen is recorded.
  • Execute Action: Abuse accessibility services to interact with the user’s interface.
  • Unlock Device: Use stolen PIN/Password/Pattern to unlock the device
  • Start/Schedule activity lunch: Opens a specific activity provided by the remote server
  • Start/Stop Keylogger: Captures user’s input on editable fields and leaks that to a remote server
  • UI text injection: Injects a string provided by the remote server in an editable field
  • Hide/Unhide Incoming Calls: Sets the ring volume to 0 and creates a full black screen to hide an incoming call
  • Clipboard manipulation: Injects a string provided by the remote server in the clipboard
  • In addition to the commands above, BRATA also performs automated actions by abusing accessibility services to hide itself from the user or automatically grant privileges to itself:
  • Hides the media projection warning message that explicitly warns the user that the app will start capturing everything displayed on the screen.
  • Grants itself any permissions by clicking on the “Allow” button when the permission dialog appears on the screen.
  • Disables Google Play Store and therefore Google Play Protect.
  • Uninstalls itself in case the Settings interface of itself with the buttons “Uninstall” and “Force Stop” appears on the screen.

Here are some of the apps which are compromised :

Source: McAfee


Prevention against Android Malware:

Here are some suggestions to help you avoid being deceived by Android malware.

  • Be aware of the Android application available in the official store before you download. Most victims are induced to install the app with the promises of a secure device but with a fake update. Users shouldn’t need to install a third-party app to keep their devices updated.
  • To detect malware applications the users should install a trustworthy and up-to-date antivirus on their devices.
  • Do not click on any suspicious links from an unknown sender, because it may download malicious applications through it.
  • Check the developer information, requested permissions, the number of installations, and the content of the reviews before installing an app. There is a chance that an application’s positive rating be a result of a majority of fake reviews.

As a result, Android users must exercise extreme caution when allowing this access to any app. As accessibility services are so powerful, a malicious application may exploit them to completely take over device data, online banking, and funds.

Get the protection you need and the privacy you want, with Clear Infosec. Check out our services and reach out to know more about how to secure your data.


Reference :

Fernando Ruiz Apr 12, Ruiz, F., Fernando Ruiz Mobile Malware Researcher Fernando Ruiz is a Security Researcher in McAfee, Researcher, M. M., & Fernando Ruiz is a Security Researcher in McAfee Labs. He specializes in mobile threats and Android malware. Ruiz performs deep analysis and reverse engineering of malicious code. (2021, April 12). Brata keeps sneaking into Google Play, now targeting USA and Spain. McAfee Blog. Retrieved January 25, 2022, from