reader comments
6 with 5 posters participating
A banking-fraud trojan that has been targeting Android users for three years has been updated to create even more grief: besides draining bank accounts, the trojan can now activate a kill switch that performs a factory reset and wipes infected devices clean.
Brata was first documented in a post from security firm Kaspersky, which reported the Android malware had been circulating since at least January 2019. The malware spread primarily through Google Play but also through third-party marketplaces, push notifications on compromised websites, sponsored links on Google, and messages delivered by WhatsApp or SMS. At the time, Brata targeted people with accounts from Brazil-based banks.
Covering its malicious tracks
Now Brata is back with a host of new capabilities, the most significant of which is the ability to perform a factory reset on infected devices to erase any trace of the malware after an unauthorized wire transfer has been attempted. Security firm Cleafy Labs, which first reported the kill switch, said other features recently added to Brata include GPS tracking, improved communication with control servers, the ability to continuously monitor victims’ bank app, and the ability to target the accounts of banks located in additional countries. The trojan now works with banks located in Europe, the US, and Latin America.
“First discovered targeting Brazilian Android users in 2019 by Kaspersky, the remote access trojan (RAT) has been updated, targeting more potential victims and adding a kill switch to the mix to cover its malicious tracks,” researchers from security firm Zimperium said in a post confirming Cleafy’s findings. “After the malware has infected and successfully conducted a wire transfer from the victim’s banking app, it will force a factory reset on the victim’s device.”
websocket.
“As shown in Figure 17 [below], the webSocket protocol is used by the C2 that sends specific commands that need to be executed on the phone (e.g, whoami, byebye_format, screen_capture, etc.),” Cleafy researchers wrote. “As far as we know, the malware (on connection perspective) is in a waiting state most of the time, until the C2 issues commands instructing the app for the next step.”
The new capabilities underscore the ever-evolving behavior of crimeware apps and other kinds of malware as their authors strive to increase the apps’ reach and the revenues they generate. Android phone users should remain wary of malicious malware by limiting the number of apps they install, ensuring apps come only from trustworthy sources, and installing security updates quickly.