BRATA, acronym for "Brazilian Remote Access Tool Android," was first detected in the wild in Brazil in late 2018, before making its first appearance in Europe in April 2022.
The Android malware works stealthily, and is capable of stealing data and even wipe phones clean.
After managing to seep into Google Play Store and launch attacks to even more targets, researchers finally considered the malware something that needs to addressing.
Realizing that the operators behind BRATA have once again added more capabilities to the Android mobile malware in an attempt to make their attacks against financial apps more stealthy, BRATA has evolved to become an even more menacing malware.
This is the reason why BRATA is finally considered an Advanced Persistent Threat, or 'APT'.
According to Italian cybersecurity firm Cleafy in a website post:
" [...] In fact, the modus operandi now fits into an Advanced Persistent Threat (APT) activity pattern. This term is used to describe an attack campaign in which criminals establish a long-term presence on a targeted network to steal sensitive information."
"Threat Actors behind BRATA, now target a specific financial institution at a time, and change their focus only once the targeted victim starts to implement consistent countermeasures against them. Then, they move away from the spotlight, to come out with a different target and strategies of infections. At first glance, it seems to be a good strategy with a relevant pay off. However, it’s important to point out also the struggles and the plan needed to apply this pattern."
The actors behind the malware has advanced the Android malware to be able to impersonate the login page of the financial institution to harvest credentials, access SMS messages, and sideload a second-stage payload (unrar.jar) from a remote server to log events on the compromised device.
Its goal is to intercept and exfiltrate all incoming messages related to one-time passwords sent by banks.
"The combination of the phishing page with the possibility to receive and read the victim's SMS could be used to perform a complete Account Takeover (ATO) attack," the researchers said.
Additionally, the researchers at Cleafy said that they found a separate Android app package sample (SMSAppSicura.apk) that used the same command-and-control (C2) infrastructure as BRATA to siphon SMS messages, indicating that the threat actors are testing out different methods to expand its reach.
What the malicious actors particularly did, was updating the BRATA malware with preloaded phishing overlay, and making it more targeted.
The researchers found that the malware is focusing on one financial institution at a time, and only pivots to a different financial institution whenever its attacks are rendered inefficient by countermeasures.
"The first campaigns of malware were distributed through fake antivirus or other common apps, while during the campaigns the malware is taking the turn of an APT attack against the customer of a specific Italian bank," the researchers said.
"They usually focus on delivering malicious applications targeted to a specific bank for a couple of months, and then moving to another target."
At this time, the SMS stealer app is said to be specifically targeting users in the UK., Italy, and Spain.