McAfee's mobile research team has discovered new variants of BRATA malware, which are targeting users in Spain and the United States. They are distributed on Google Play, becoming go through app security scanners.
These malicious apps tell users to update Chrome, WhatsApp, or a PDF reader, but instead of updating the app, they take full control of the device.
In the past versions of BRATA had been identified in Brazil and now this phishing is mainly aimed at “financial institutions, not only in Brazil but also in Spain and the United States ”, according to information from the researchers.
The way it works seems very similar to the Flubot that has starred in recent months. countless cases of theft of important information in our country. Remember that for Flubot there is already an app that allows you to uninstall the virus.
How BRATA operates
BRATA is distributed through Google Play and pretends to be an application and program scanner. Alerts the user that they need to clean some of their programs and when the user accepts, while this malware pretends to scan the installed applications, in the background checks if any of the target apps provided by a remote server is installed on the user's device.
If this is the case, that is, if you have a special interest in any of the user applications, will ask the victim to install a fake update of a specific application selected based on the language Of the device. One of the novelties that have just been discovered is that now it also sends alerts in Spanish on WhatsApp, warning that the application is not updated. In the case of applications in English, BRATA suggests updating Chrome, while constantly displays a notification at the top of the screen asking the user to activate accessibility services.
Once the user clicks "UPDATE NOW!", BRATA proceeds to open the main Accessibility tab in the Android settings and asks the user to grant permissions to use accessibility services.
When the user tries to perform this action, Android warns of the potential risks of granting access to accessibility services to an application. As for the user click OK, the persistent notification disappears, the main app icon is hidden and a complete black screen appears with the word "Updating", which McAffee believes is done to hide the automated actions that the application can now perform, because the victim has already fallen for the trap.
That is victims are persuaded to install malicious applications on their phones pretending there is a security problem and that app is going to fix the problem. However, the real security issue starts when the victim heeds this warning and downloads the unknown program.
BRATA has two ways of getting information from victims. On the one hand, it can take full control of the infected device, abusing accessibility services. For another, has banking Trojan functionality, offering URLs phishing tools that mimic certain financial and banking apps.
How to avoid getting infected
The solution that exists to avoid falling into the trap, is basically and as with the vast majority of phishing programs, do not download any program that you do not know. Especially in this case, do not run a security software that ensures that it will analyze and update your system.
During 2020, the threat actors behind BRATA have managed to publish several applications on Google Play, most of which have reached between one thousand and five thousand installations. However, some variants have also reached 10,000 installations, including the latest, DefenseScreen, reported to Google by McAfee in October and subsequently withdrawn from Google Play.
It must be remembered that although this threat has just landed in Spain, is already recognized in Brazil (in fact, in its name, the letter B is the initial of Brazilian) since 2018, when Kaspersky discovered it. Researchers say it has now become more sophisticated.