The digital world won't be having a shortage of malware, simply because tech evolves and malicious actors are getting smarter.
As found by researchers from McAfee, a set of malicious Android apps have been caught posing as app security scanners on the official Google Play Store to distribute a malware which creates a backdoor for gathering sensitive information.
When installed, these malicious apps urge users to update Chrome, WhatsApp, or a PDF reader.
But instead of updating the app in question when users comply, the app will take full control of the device by abusing accessibility services.
The researchers call this malware 'BRATA', or short for “Brazilian Remote Access Tool Android.”
And this time, the authors behind the malware have enhanced this BRATA to also serve phishing pages to collect financial details of victims that are not only in Brazil, but also in Spain and the U.S..
In a blog post by the researchers at McAfee:
The malicious apps can get a strong hold inside their victims devices by also disabling the Play Store app.
They do this in order to also disable Play Protect, a feature from Google that preemptively runs a safety check on apps before they are downloaded from the app store, and routinely scans Android devices for potentially harmful apps and removes them.
Abusing the accessibility services, the apps can even grant themselves any permissions they want by clicking on the 'Allow' button whenever the permission dialog appears in the screen.
What's more, they can also uninstall themselves in cases like for example, the Settings interface of itself with the buttons “Uninstall” and “Force Stop” appears in the screen.
The updated BRATA-infested apps also come equipped with added obfuscation and encryption layers.
At this time, the apps in question have racked up anywhere between 1,000 to 5,000 installs. Another app named DefenseScreen was already removed from the Play Store in 2020.
"BRATA is just another example of how powerful the (ab)use of accessibility services is and how, with just a little bit of social engineering and persistence, cybercriminals can trick users into granting this access to a malicious app and basically getting total control of the infected device," the researchers concluded.
"By stealing the PIN, Password or Pattern, combined with the ability to record the screen, click on any button and intercept anything that is entered in an editable field, malware authors can virtually get any data they want, including banking credentials via phishing web pages or even directly from the apps themselves, while also hiding all these actions from the user."
While the BRATA-infested apps are mostly found on Google Play Store, it is and again advised that Android users should only rely on the official app store to download their apps.
But precautions should be made in order to not fall as victims.
McAfee suggests that users to never trust an Android app just because it’s available in the official store, install a known security app, never click on suspicious links received from text messages or social media, particularly from unknown sources, always double check by other means if a contact that sends a link without context was really sent by that person, because it could lead to the download of a malicious application.
And when attempting to install an app, users should always check the developer information, requested permissions, the number of installations, and the content of the reviews.
Sometimes applications could have very good rating but most of the reviews could be fake.
"Judging by our findings, the number of apps found in Google Play in 2020 and the increasing number of targeted financial apps, it looks like BRATA will continue to evolve, adding new functionality, new targets, and new obfuscation techniques to target as many users as possible, while also attempting to reduce the risk of being detected and removed from the Play store," the researchers concluded.