The RAT targets users via fake WhatsApp updates in Google Play.
A powerful Android remote access tool (RAT) family dubbed BRATA is proliferating, with at least 20 different variants cropping up since it was first spotted in January. The majority of the binaries have been found in the official Google Play store, masquerading as updates for the instant messaging application WhatsApp.
Notably, BRATA collects and relays information — especially banking information — in real time to its operators, according to research from Kaspersky.
“The ability to remote control a smartphone in real time [is the most notable thing about BRATA],” said Santiago Pontiroli, security researcher for Kaspersky Latin America, speaking to Threatpost. “BRATA is not only able to steal financial credentials and two-factor authentication tokens but also is able to retrieve files, spy on the user’s calls and messages and more.”
To carry out its malicious work, it abuses a known WhatsApp vulnerability (CVE-2019-3568) to infect a target device, and then enables a key-logging feature along with real-time streaming functionality. It also uses Android’s Accessibility Service feature to interact with other applications installed on the user’s mobile phone and gain full control of the device, according to Pontiroli.
For the malware to function correctly, it requires at least Android Lollipop 5.0 version, researchers said in a posting this week. The researchers also noted that the cybercriminals behind BRATA have several infection vectors, including using push notifications on compromised websites, spam messages delivered via WhatsApp or SMS, and sponsored links in Google searches.
BRATA, short for Brazilian RAT Android, is making the rounds in Brazil. However, it could easily make the jump to different regions around the world, researchers said.
Pontiroli noted, “Nothing stops BRATA from expanding to other regions or from evolving the campaign to include an extortive scheme (such as demanding a ransom for private information).”
He added that BRATA’s authors seem particularly interested in mobile banking information.
“For the moment, BRATA is focused on users using their smartphones for online banking,” he told Threatpost. “It targets users from several Brazilian banks but not the banks themselves. For the moment this is a financial threat, focused on getting credentials from users that check their banking accounts from their smartphones.”
The fake WhatsApp applications have been removed from the Brazilian Google Play store and the developer, “JCLapp,” banned from uploading any further apps. However, the malware is still being distributed in third-party markets and could easily surface in other regional Google Play stores under a different developer alias, researchers warned.