Android device owners now have another scam to be on the lookout for as a deadly malware campaign moves to new locations. According to Cleafy’s cybersecurity experts, there has been an increase in the number of Android remote access trojan (RAT) infections over the past year.
It has been reported that the BRATA virus, which was first found in Brazil, has made its way to Italy. Using the virus, hackers are able to steal banking information from Android users and subsequently deplete their bank accounts.
A new Android fraud attempts to steal banking information
As the cybersecurity experts explain, this new variant of the BRATA malware is extremely difficult to detect and therefore impossible to contain.
A link to a website is sent first by the threat actors via an SMS text message. The text appears to be from a financial institution. This is referred to as the smishing method (phishing with SMS).
In case the victim chooses to click on the link, the website they arrive at will prompt them to download an anti-spam application. The website also informs the victim that a bank representative will contact them shortly to discuss the app they are downloading.
This is where BRATA distinguishes itself from other commonly encountered Android malware campaigns.
Read More: American Families to Begin Receiving at least $1,800 Stimulus Checks
You will receive a phone call from a fraud operator after visiting the website and providing your information. After that, a real person will attempt to persuade you into installing the malicious program.
They will employ a range of social engineering approaches to persuade you that they are affiliated with the financial institution in question. Those who fall for it may find themselves installing an app that hackers can use to take control of their phones.
What is it that BRATA is capable of doing to your device?
After infecting your Android device, the BRATA malware is capable of the following:
- SMS texts are intercepted and forwarded to a C2 server. It is used to receive 2FA from the bank through SMS during the login phase, as well as to confirm monetary transactions.
- The malware has screen recording and casting capabilities, which allow it to collect any sensitive information that appears on the screen. Among them include audio, passwords, financial information (including credit card numbers), photos, and messages (as shown in Figure 15). The malware uses the Accessibility Service to automatically click the “start now” button (of the popup) so that the victim is unable to prevent recording or casting of the owned device.
- Remove itself from the compromised device to lessen the likelihood of detection.
- Uninstalling certain programs is possible (e.g., antivirus).
- Hide its own icon app in order to be less detectable by those who are not advanced.
- Disable Google Play Protect in order to prevent being identified as a suspicious app by Google.
- Make changes to the device’s configuration to gain further privileges.
- If the device is locked with a secret pin or pattern, it will unlock it.
- Display the phishing landing page.
- Utilize the accessibility service to read anything that appears on the screen of the infected device or to imitate taps on the screen. This information is subsequently forwarded to the C2 server of the attackers to be used against them.
Are you in danger?
The BRATA Android fraud originally appeared in Brazil in 2019 and has since spread throughout the country. According to Cleafy, the majority of the new mule accounts that are spreading the trojan are originating from Italy, as well as Lithuania and The Netherlands.
In other words, if you live in the United States, you are unlikely to be targeted by this ad. As a result, if you own an Android device, you should be aware of yet another frightening peril.