BRATA malware disguises itself as security tools on Google Play

Hackers are tricking victims into granting their malicious apps certain permissions before taking control of Android devices

New variants of a dangerous Android malware family are disguising themselves as security tools on Google Play that urge users to update widely-used apps but instead seize control of their devices.

The Brazilian Remote Access Tool Android (BRATA) was first seen towards the end of 2018 but soon evolved into a banking Trojan combining full device control capabilities with the capacity to steal credentials.

Researchers at McAfee have now spotted new variants of the strain affecting victims based in the US and Spain, alongside new defensive capabilities. BRATA has added protective layers including string obfuscation, encryption of configuration files, the use of commercial packers, and moving its core functionality to a remote server so it can update easily without changing the main application. 

One of the most significant additions the fact that it's being disguised as security tools on the Google Play store. The perpetrators have managed to publish several security-oriented apps on the platform with thousands of downloads, including DefenseScreen, which accrued 10,000 installs before Google removed it.

DefenseScreen is the latest iteration of an app that pretends to scan all a device’s installed apps, while in the background checking if any of the target apps provided by a remote server are installed. If so, the malicious app will urge the user to install a fake update of the specific app, depending on the device’s language. In the case of English-language apps, BRATA suggests updating Chrome, while also showing a notification urging the user to activate accessibility services.

The app then guides the user to grant the malicious app a set of permissions, which, once granted, kicks the user into a black screen and a spinning wheel to indicate an update is being applied. At this point, the app is running in the background and remains in constant communication with a command and control (C&C) server.

BRATA can form a variety of actions once it’s compromised the device, including stealing passwords, capturing the screen, interacting with the user interface remotely, and unlocking the device without user interaction.

Related Resource

Taking a proactive approach to cyber security

A complete guide to penetration testing

A complete guide to penetration testing - whitepaper from CyberCxDownload now

The malware can also schedule activities, start or stop a keylogger, hide or show incoming calls, and manipulate the clipboard, among other functions.

“In terms of functionality, BRATA is just another example of how powerful the (ab)use of accessibility services is and how, with just a little bit of social engineering and persistence, cyber criminals can trick users into granting this access to a malicious app and basically getting total control of the infected device,” said McAfee security researchers Fernando Ruiz and Carlos Castillo.

“By stealing the PIN, Password or Pattern, combined with the ability to record the screen, click on any button and intercept anything that is entered in an editable field, malware authors can virtually get any data they want, including banking credentials via phishing web pages or even directly from the apps themselves, while also hiding all these actions from the user.”

McAfee has recommended that users refrain from installing all untrusted apps, even if they’re on the Google Play store, and to bear in mind that Android updates are installed automatically via the Play store.

Featured Resources

BCDR buyer's guide for MSPs

How to choose a business continuity and disaster recovery solution

Download now

The definitive guide to IT security

Protecting your MSP and your customers

Download now

Cost of a data breach report 2020

Find out what factors help mitigate breach costs

Download now

The complete guide to changing your phone system provider

Optimise your phone system for better business results

Download now

Recommended

New report highlights the need for diversity in cyber security recruitment
cyber security

New report highlights the need for diversity in cyber security recruitment

28 Apr 2021
HackBoss malware is using Telegram to steal cryptocurrency from other hackers
cryptocurrencies

HackBoss malware is using Telegram to steal cryptocurrency from other hackers

16 Apr 2021
TsuNAME vulnerability could enable DDoS attacks on major DNS servers
distributed denial of service (DDOS)

TsuNAME vulnerability could enable DDoS attacks on major DNS servers

7 May 2021
Security researchers take control of a Tesla via drone
ethical hacking

Security researchers take control of a Tesla via drone

5 May 2021

Most Popular

KPMG offers staff 'four-day fortnight' in hybrid work plans
flexible working

KPMG offers staff 'four-day fortnight' in hybrid work plans

6 May 2021
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

29 Apr 2021
How to move Windows 10 from your old hard drive to SSD
operating systems

How to move Windows 10 from your old hard drive to SSD

30 Apr 2021