A banking-fraud trojan that has been targeting Android users for three years was update to create even more grief. Besides draining bank accounts, the trojan can now activate a kill switch that performs a factory reset .
Brata was first documented in a post from security firm Kaspersky. Inwhich reported that the Android malware had been circulating since at least January 2019. The malware spread primarily through Google Play , third-party marketplaces, sponsored links , and messages delivered by WhatsApp. At the time, Brata targeted people with accounts from Brazil-based banks.
Covering its malicious tracks
Now Brata is back with a host of new capabilities. The most significant of which is ability to perform a factory reset on infect devices to erase trace of malware . Security firm Cleafy Labs, which first reported the kill switch, said other features recently added to Brata include GPS tracking, improved communication with control servers, the ability to continuously monitor victims’ bank apps, and the ability to target the accounts of banks located in additional countries. The trojan now works with banks located in Europe, the US, and Latin America.
This time around, there’s no evidence that the malware was spreading to Google Play or other official third-party Android stores. Instead, Brata propagates through phishing text messages disguised as banking alerts. The new capabilities are circulating in at least three variants. All of which went almost completely undetected until Cleafy first discovered them. The stealth is at least partly the result of a new downloader use to distribute the apps.
Besides the kill switch, Brata now seeks permission to access the locations of infected devices. While Cleafy researchers said they didn’t find any evidence in the code that Brata is using location tracking, they speculated that future versions of the malware may start availing itself of the feature.
The malware also has been updated to maintain a persistent connection with the attacker’s command and control server (or C2) in real time using a websocket.
The new capabilities underscore the ever-evolving behavior of crimeware apps and other kinds of malware as their authors strive to increase the apps’ reach and the revenues they generate. Android phone users should remain wary of malicious malware by limiting the number of apps they install, ensuring apps come only from trustworthy sources, and installing security updates quickly.