BRATA Android Malware Evolves Into an APT

The BRATA Android banking Trojan is evolving into a persistent threat with a new phishing technique and event-logging capabilities.

An Android-based banking Trojan known as BRATA (short for Brazilian RAT Android) has evolved to incorporate new phishing techniques and capabilities to acquire GPS, overlay, SMS, and device management permissions.
The Italian mobile security company Cleafy reported in a blog post this week that these changes align with an advanced persistent threat (APT) pattern of activity.
Threat actors behind BRATA now target a specific financial institution at a time, and change their focus only once the targeted victim starts to implement consistent countermeasures against them, the
blog post explained
. Then, they move away from the spotlight, to come out with a different target and strategies of infections.
The new variant, which is targeting the EU region by posing as specific bank applications, can also now perform event logging through its ability to sideload a second-stage piece of malware from its command-and-control (C2) server.
The threat actors operating the new malware variant (BRATA.A) are also expanding their capabilities to include a methodology for potentially bypassing SMS-based multifactor authentication (MFA).
The updated phishing technique can mimic a targeted banks login page, part of the groups strategy to acquire personal information to be used later for social-engineering purposes.
Once installed, the pattern of the attack is similar to other SMS stealers, according to the blog post. This consists in the malicious app asking the user to change the default messaging app with the malicious one to intercept all incoming messages.
Credential harvesting is common in banking Trojans and stealer malware, but bypassing MFA is a bit more complicated.
This functionality, along with BRATAs ability to remain undetected for prolonged periods of time, could potentially classify the threat actors as an APT, says Nicole Hoffman, senior cyber threat intelligence analyst at Digital Shadows.
From the perspective of John Bambenek, principal threat hunter at Netenrich, the ability to request additional permissions on the device indicates what the attackers are thinking as far as future development.
Not all the new features are actively collecting and transmitting data to the attacker, but future updates can change that, he says. The actors are spending real effort to make sure they can maximize their success. Banks are constantly evolving, so attackers must do so also.
He adds that because mobile malware is typically still just an app, consumers can protect themselves by only installing apps from approved app stores and be wary when apps are asking for banking credentials.
Financial institutions need to invest in behavioral analytics to detect stolen credential use against their online presence to prevent fraud against their consumers, Bambenek says.
In a statement provided to Dark Reading, the Cleafy Threat Intelligence team notes BRATAs evolution suggests the threat actors plan to diversify their business model, and consequently its income.
Cleafys hypothesis is that BRATA is sold as malware-as-a-service (MaaS) to different groups, since the firm is tracking many variants of this malware hitting different countries across the globe.
It has been observed that they started refactoring part of the malware, in order to tailor it according to the requests of their customers, the statement reads.
In January, Cleafy discovered
the group behind BRATA
manipulating Androids factory reset to prevent victims from discovering or reporting and preventing illicit wire transfers. At that point, the malware campaigns were targeting Italian banks.
During the last year, BRATA
was delivered through sideloading techniques
, not through the official Google Play Store.
Cleafy recommends users pay particular attention to downloading apps from untrusted websites or whenever SMS is required to install an application.
However, considering the Android 13 restriction for sideloaded apps, we do not exclude that in the future BRATA will be also delivered through official stores, like other famous malware have been trying to do in recent months (e.g.
Sharkbot
,
Teabot
etc.), the statement continues.
Kaspersky first discovered BRATA in 2019 when it was simply spyware and targeted at users in Brazil.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
BRATA Android Malware Evolves Into an APT