The McAfee cybersecurity team has detected the presence of new malware in the Play Store. Curiously, are apps that pose as security scanners on Android, although they are Trojans capable of capturing lock screen credentials to monitor device activity and even steal bank keys.
The malware is called BRATA and has been on Android since 2018. Since that date it has been expanding, from Brazil (where it began to be distributed) to now focus on Spain and the United States. BRATA is a sophisticated malware It continues to evolve, so you have to be especially careful with it.
BRATA: a malware that continues to advance and that reaches Spain
BRATA was first discovered in 2018 and its name comes from ‘Brazilian Remote Access Tool Android’. Malware is able to fully control the device, showing pages of phishing that allow bank credentials to be stolen. Similarly, it works as a keylogger, so it can detect the user’s screen keystrokes to capture them and know all the credentials and passwords.
The most serious thing about BRATA is that, since 2018, applications containing this malware have been sneaking into the Play Store, so there may be a few active
The worst thing is that this malware is downloaded from the official Google store, through different applications that have reached over 10,000 downloads. As these apps have been removed from the Play Store, BRATA has been adding new layers of protection through obfuscation, configuration file encryption and new servers. In short, since 2018 it has not stopped distributing itself and becoming stronger and stronger.
According to the Mcafee report, in 2020 the actors behind BRATA managed to publish several applications on Google Play, reaching the majority between a thousand and 5 thousand downloads, with peaks of 10,000 downloads in some of them. Most of them are apps that try to pass themselves off as security applications, causing us to download more malicious files.
“BRATA impersonates a security application scanner that pretends to scan all installed applications, while in the background it checks if any of the target applications provided by a remote server are installed on the user’s device. In this case, it will prompt the user to install a fake update of a specific application selected according to the device language.
As with the Flubot malware, BRATA obtains full permissions to control the device, something that makes it very dangerous. The main icon of the app is hidden, but it runs in the background with a server. It is even capable of creating a fake home screen for us to enter our PIN, thus being able to steal it. Specifically, these are the functions that BRATA can perform.
Steal Lock Screen (PIN / Password / Pattern)
Screenshot: record device screen and send screenshots to remote server
Execute actions: interact with the user interface by abusing accessibility services
Unlock device: use stolen PIN / password / pattern to unlock device
Start / Schedule Activity Start – Opens a specific activity provided by the remote server
Start / Stop Keylogging – Capture user input in editable fields and filter to remote server
UI text injection – injects a string provided by the remote server into an editable field
Hide / Show Incoming Calls: Set the ringer volume to 0 and create a completely black screen to hide an incoming call
Clipboard manipulation: injects a string provided by the remote server into the clipboard
Similarly, Mcafee indicates that BRATA is capable of disable Google Play Protect to download malware at will and that it can give itself permissions to run free.
Although the latest reported apps have been removed from the Play Store, the malware is still active, so it is recommended not to install suspicious applications. It is always recommended to check well where the app comes from, who its developer is and, of course, never give you full accessibility permissions.
More information | McAfee