Update With New Features: Android Trojan Brata Reaches Europe

Update with new features: Android Trojan Brata reaches Europe

The perpetrators are currently targeting victims in the UK, Italy, and Spain. Based on their modus operandi, security researchers are now categorizing the scammers as an Advanced Persistent Threat.

Researchers from Italian cybersecurity provider Cleafy have warned of a new variant of the Android Trojan Brata. The banking malware, originally developed for Brazil, also has new features for accessing location data and sending and receiving SMS messages. In addition, the phishing sites needed for the banking scam have been adapted to European banks.

For sending and receiving SMS, an additional malicious app is used, which uses code from the Brata Trojan. Cleafy researchers believe that the app is primarily intended to spy on address books of devices in the UK, Italy and Spain. In order to do so, it prompts users to change the default messaging app, including SMS messages that contain one-time passwords or codes for two-factor authentication.

In addition, researchers point out that the perpetrators of the behind-the-scenes attacks only focus on specific banks for a period of a few months, and then target customers of other financial institutions. “The modus operandi now fits the activity pattern of Advanced Persistent Threats (APT). This term is used to describe an attack campaign in which criminals establish a long-term presence on a target network to steal sensitive information,” the researchers said.

“The threat actors behind BRATA target one specific financial institution at a time and only change their focus when the targeted victim begins to take consistent countermeasures. Then they retreat from the spotlight, only to return with a different target and different infection strategies.”

Brazilian Remote Access Tool Android (Brata) has been circulating since at least 2019. Originally it was designed as pure spyware; those behind it evolved the malware into a banking Trojan. Brata is also known to use the factory reset feature of a device to cover its traces.