IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

BRATA malware has evolved to target online banking across Europe, researchers warn

The new variant can now access SMS, GPS, and device control to better steal financial data

An animated mockup of a login in form being lifted out of a laptop screen to symbolise a phishing attack

An Android malware strain, known for its attacks on the Google Play store, has been spotted targeting the login pages of online banks, in what experts believe is a long-term shift in strategy by its developers.

The Brazilian Remote Access Tool (BRATA) first surfaced in 2018, targeting Android users with fake antivirus apps and similar security software in an effort to steal credentials.

Related Resource

The Total Economic Impact™ of Mimecast

Cost savings and business benefits enabled by using Mimecast with Microsoft 365

Total economic impact of Mimecast - whitepaper from MimecastFree download

However, new attacks suggest the group behind the malware has pivoted towards targeting financial institutions directly, attempting to put fake login pages in front of users trying to access online banking services.

The new variant has been flagged by the cyber security organisation Cleafy, who provided screenshots of a phishing page new to BRATA that mimics the login field for a prominent bank, asking users to input their PIN and client number.

“They usually focus on delivering malicious applications targeted to a specific bank for a couple of months, and then moving to another target,” Cleafy explained in a blog post on the discovery.

A screenshot of a fake Italian bank login screen asking the users to enter a client number and PIN

Moves to socially engineer the customers of specific banks indicate that BRATA’s threat actors are curating their pool of targets. Formerly localised to South America, efforts to steal financial information have resulted in a shift in focus towards users across mainland Europe and the UK, with Italy-based Cleafy first discovering the variant through increased activity across the region.

The evolution has also seen the introduction of new features, which allow the strain to seek permissions over SMS, GPS, and device management. Additionally, on install an event-logger plugin labelled 'unrar.jar' is downloaded from the BRATA command and control (C2) infrastructure. Cleafy expressed concerns that these additions “could be used to perform a complete Account Takeover (ATO) attack”.

At time of writing, targeted devices do not appear to be exchanging information with the threat actors behind the malware, and that this may indicate that the newest variant BRATA.A is still undergoing development, according to researchers.

However, the organisation has already identified a separate SMS stealer app connected to the BRATA C2 infrastructure, also targeting users in mainland Europe and the UK. With threat actors testing out new attack vectors linked by a common framework, there are fears that, once active, this variant could prove effective at taking over users’ financial accounts.

For this reason, Cleafy has assigned BRATA an Advanced Persistent Threat (APT) status, which they define as “an attack campaign in which criminals establish a long-term presence on a targeted network to steal sensitive information".

As malware evolves to deceive in more sophisticated ways, it is important that users keep up to date with threat prevention tactics, and only download apps from trusted sources.

Featured Resources

The state of Salesforce: Future of business

Three articles that look forward into the changing state of Salesforce and the future of business

Free Download

The mighty struggle to migrate SAP to the cloud may be over

A simplified and unified approach to delivering Enterprise Transformation in the cloud

Free Download

The business value of the transformative mainframe

Modernising on the mainframe

Free Download

The Total Economic Impact™ Of IBM FlashSystem

Cost savings and business benefits enabled by FlashSystem

Free Download

Recommended

Education and government most at risk from email threats
phishing

Education and government most at risk from email threats

26 Nov 2021
Attackers use CSS to fool anti-phishing systems
phishing

Attackers use CSS to fool anti-phishing systems

11 Nov 2021
Hackers could use new Wslink malware in highly targeted cyber attacks
malware

Hackers could use new Wslink malware in highly targeted cyber attacks

1 Nov 2021
FBI raids Chinese POS business following cyber attack claims
malware

FBI raids Chinese POS business following cyber attack claims

27 Oct 2021

Most Popular

Cyber attack on software supplier causes "major outage" across the NHS
cyber attacks

Cyber attack on software supplier causes "major outage" across the NHS

8 Aug 2022
Why convenience is the biggest threat to your security
Sponsored

Why convenience is the biggest threat to your security

8 Aug 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

29 Jul 2022