If your Android phone initiates a factory reset out of the blue, there’s a chance it has been infected with the BRATA banking malware and you’ve just been ripped off.
The unusual functionality serves as a kill switch for the trojan, Cleafy researchers have explained, while also making the victim lose time trying to find out what happened as crooks siphon money out of their account.
European users under attack
First documented by Kaspersky researchers in 2019, BRATA was a RAT targeting Android users in Brazil. It was able to capture and send user’s screen output in real-time, log keystrokes, retrieve device information, turn off the screen to give the impression that it has been turned off, and more.
Through the years, BRATA evolved primarily into banking malware and has lately been aimed against Android users in Europe and the rest of Latin America. (Cleafy researchers hypothesize that the group responsible for maintaining the BRATA codebase is probably located in the LATAM area and is reselling this malware to other local groups.)
The trojan has been spotted targeting customers of several Italian banks in H2 2021.
“The attack chain usually starts with a fake SMS containing a link to a website. The SMS seems to come from the bank (the so-called spoofing scam), and it tries to convince the victim to download an anti-spam app, with the promise to be contacted soon by a bank operator. In some cases, the link redirects the victim to a phishing page that looks like the bank’s, and it is used to steal credentials and other relevant information (e.g. fiscal code and security questions),” the researchers shared last December.
Victims are persuaded by the fraud operators to install the app, which gives the latter control of the device and access to the 2FA code sent by the bank, allowing them to perform fraudulent transactions.
Since then, several variants of the malware posing as a variety of security apps have been targeting users of banks and financial institutions in the UK, Poland, Italy, and LATAM.
BRATA’s new capabilities
These “European” variants have gained interesting capabilities such as establishing multiple communication channels (HTTP and WebSocket/TCP) with the C2 – right after removing any antivirus app installed on the compromised device.
They are also able to continuously monitor the victim’s bank application through VNC and keylogging techniques and, as mentioned before, to perform the device factory reset.
“It appears that [threat actors] are leveraging this feature to erase any trace, right after an unauthorized wire transfer attempt,” the researchers noted.
Furthermore, they have also observed that the Android device factory reset is executed if the malicious app / malware is installed in a virtual environment, which means that its developers are trying to prevent researchers from performing a dynamic analysis of it.