Analysis

The Android malware known as BRATA has added new and dangerous features to its latest version, including GPS tracking, the capacity to use multiple communication channels, and a function that performs a factory reset on the device to wipe all traces of malicious activity.

BRATA was first spotted by Kaspersky back in 2019 as an Android RAT (remote access tool) that mainly targeted Brazilian user.

In December 2021, a report by Cleafy underscored the emergence of the malware in Europe, where it was seen targeting e-banking users and stealing their credentials with the involvement of fraudsters posing as bank customer support agents. The latest versions of the BRATA malware now target e-banking users in the UK, Poland, Italy, Spain, China, and Latin America.

Each variant focuses on different banks with dedicated overlay sets, languages, and even different apps to target specific audiences.

Now actively seeks signs of AV presence on the device and attempts to delete the detected security tools before proceeding to the data exfiltration step.

 Effected Locations

UK, Poland, Italy, Spain, China, and Latin America.

Mitigation

  1. Downloads must be performed from official and verified sources.
  2. Update software with tools/functions provided by genuine developers
  3. Keep your system updated
  4. Do not click on suspicious mail links.
  5. Avoid pirated sites.
  6. Get AV protection.
  7. Do not install third party apps (Apk).

 

IOCs

TYPE INDICATOR
FileHash-SHA256  

[E769ef0d011cbf3322c9e85d4cdf70af413f021d033aed884c1431f2b7861d0d]

FileHash-SHA1 [c429857766ae7fca8e65e15ad9b1fa691e0b8de7]
FileHash-MD5 [E664bd7951d45d0a33529913cfbcbac0]
FileHash-MD5 [2dfdce36a367b89b0de1a2ffc1052e24]
FileHash-MD5 [220ec1e3effb6f4a4a3acb6b3b3d2e90]
IPv4 5[.]39[.]217[.]241

 

Reference

  1. https://thehackernews.com/2022/01/mobile-banking-trojan-brata-gains-new.html