Published: May 03, 2022 on our newsletter Security Fraud News & Alerts Newsletter.
Attacks by BRATA financial malware have finally made their way to the U.S., among other countries. Victims of the improved BRATA (Brazilian Remote Access Android) malware are finding a cruel twist to its attacks. BRATA not only steals a victim’s money, but cleans their device of any personal data stored there. It’s a mean-spirited component of this trojan malware, but BRATA criminals might add “it’s nothing personal.”
A little history. In 2019, BRATA malware was known to attack banking customers, limited at the time only to those in Brazil. But as we’ve seen with many other malware types, “improvements” are impossible to avoid. At some point, successful malware originally limited to one geographic area inevitably spreads to other geo-locations.
BRATA banking malware has a bag of tricks that all but guarantees successful attacks. Starting with sending smishing (SMS) texts to a target, BRATA poses as a user’s financial institution. As Italian security firm Cleafy finds, attackers provide a website link to download an anti-spam app, but download BRATA instead. From there, attackers steal verification codes sent by the bank to verify the victim’s identity, allowing criminal access to their account.
These attackers abuse a victim’s device by overtaking its Android Accessibility Services. This service allows them to view and monitor their banking app screen, including transactions and balances. They also send stolen screen shots to the attacker-controlled server and using a remote VNC (virtual network computing) module also helps.
A few months ago, Cleafy researchers found BRATA malware is a type of RAT (remote access trojan). As a RAT, the attack avoids being tagged as “suspicious” since the victim’s bank already views their device as legitimate.
The RAT Hides
Having already stolen their money, the bad actors aren’t done with the victim yet. Their last step is restoring the attacked device to its factory settings for two reasons, neither of them good.
First, returning a device to factory settings means it deletes all personal data a victim has stored on their device, but it’s “nothing personal.” However, this reset also keeps a victim from knowing a fraudulent wire transfer just cleaned-out their bank account, preventing them from reporting or stopping the transfer.
Second, resetting a device also erases any direct forensic connection to BRATA and its criminal attackers. As Cleafy reports, “It appears that [threat actors] are leveraging this feature to erase any trace, right after an unauthorized wire transfer attempt…”
Both reasons are important to know about but don’t help victims caught-up in a BRATA attack feel any better about their losses. Nothing personal of course.
Keep up to date: Sign up for our Fraud alerts and Updates newsletter
Want to schedule a conversation? Please email us at firstname.lastname@example.org