The operators behind BRATA have once again added more capabilities to Android mobile malware in an attempt to make their attacks against financial apps stealthy. than.
“In fact, this operating model matches the Advanced Persistent Threat (APT) operating model,” Italian cybersecurity firm Cleafy said in a report last week. “The term is used to describe an attack campaign in which criminals establish a long-term presence on a targeted network to steal sensitive information.”
An acronym for “Brazilian Remote Access Tool for Android,” BRATA was first discovered in the wild in Brazil in late 2018, before making its first appearance in Europe last April. , while masquerading as antivirus and other common productivity tools to trick users into downloading .
The change in attack pattern, which rose to a new high in early April 2022, involved tailoring the malware to attack a specific financial institution at a time, shifting to a another bank only after the victim begins to take countermeasures against the threat.
Also built into the rogue apps are new features that allow it to impersonate a financial institution’s login page to collect credentials, access SMS messages, and second-stage payloads (” unrar.jar”) from the remote server to log events on the compromised device.
“The combination of the phishing site with the victim’s ability to receive and read sms can be used to perform a complete account takeover (ATO) attack,” the researchers said.
Additionally, Cleafy said it found a separate Android app bundle sample (“SMSAppSicura.apk”) that uses the same command and control (C2) infrastructure as BRATA to suck up SMS messages, indicating that Threat actors are experimenting with different methods to expand their reach.
The SMS-stealing app is said to be particularly selective for users in the UK, Italy and Spain, its goal being to be able to intercept and filter all incoming messages related to one-time passwords sent by banks. to send.
“The first malware campaigns are spread through fake anti-virus software or other popular applications, while in campaigns the malware is executing,” the researchers said. performed an APT attack targeting customers of a specific Italian bank,” the researchers said.
“They usually focus on delivering targeted malicious apps to a specific bank for a few months, and then move on to another target.”