A new powerful Android malware family is making the rounds among smartphone users in Brazil these days. Researchers refer to it as BRATA, which is short of Brazilian RAT Android. It seems like the malware is proliferating without boundaries as at least 20 new variants have been reported since the initial discovery of BRATA in January 2019. The broad reach of this RAT family is due mostly to the fact that the majority of the malicious binaries have been detected at the official Google Play store disguised as updates for the instant messaging service WhatsApp.
BRATA is particularly interested in online banking information which it diligently collects and sends over to its operators in realtime. That functionality of BRATA has impressed researchers at Kaspersky Latin America the most, although this remote access tool is not only able to steal bank account login credentials and two-factor authentication tokens, but it also spies on user messages and calls, retrieves files, and many more activities that threaten user privacy.
For the moment, BRATA remains a financial threat for users who check their online bank accounts from their mobile phones and it affects only Android users located in Brazil. However, there is no reason why it could not make the jump over to all other regions of the world at any point in time. Furthermore, this malware could also easily evolve into an extortion-kind of threat that locks user files and demands the payment of a ransom in exchange for a decryption key. So far, Kaspersky researchers claim the BRATA targets only the clients of banks but not the banks themselves.
BRATA functions properly on at least Android Lollipop 5.0 version and has several infection vectors. Apart from the fake WhatsApp updates, users can also get infected through spam messages, sponsored links in Google searches, and push notifications on corrupted websites. BRATA abuses the well-known WhatsApp vulnerability CVE-2019-3568 to infect the target device. Then, in order to complete its malicious tasks, the RAT activates a key-logging feature and a real-time streaming service. The malware takes full control of the affected device by interacting with other applications installed on the victim's phone through Android's Accessibility Service feature.
Currently, the fake WhatsApp copies have been removed from the Brazilian Google Play Store, while the developer has been banned from future uploads. Yet, BRATA still spreads around through third-party markets for mobile applications and could soon emerge in other regional Google Play stores, researchers warn.