Cybercriminals are using banking trojans extensively. We discuss Android malware that has evolved to be more harmful and sneakier.
Cleafy, a security firm, studied three new BRATA variants and found that the trojan can perform a factory reset, as a result preventing victims from detecting unauthorized wire transfers from their devices. Further, the variants can track via GPS by using various communication channels between C2 and device and continuously record activities in the victim’s banking app through keylogging and VNC techniques. The researchers found that the Android malware is using a downloader to avoid detection by antivirus solutions.
The ability to factory reset is the most damaging feature as it suggests the following:
- The compromise is successful, and the transaction has been completed
- The app detects that it is working in a virtual environment and fails to analyse dynamically
BRATA uses this process as a kill switch, but it’s a threat for victims as resetting the device can lead to a permanent data loss.
- The new variants have already targeted banks and financial institutions in Poland, the U.K, Italy, Latin America, China, and Spain.
- Each variant is carefully designed to focus on different banks. They have special overlays, different apps, and languages to target different sets of victims.
- However, all the versions use the same obscuring techniques, including enclosing the APK file into an encrypted DEX or JAR package. This technique evades detection by antivirus software.
- Furthermore, BRATA scans for antivirus on the device and tries to delete the security tools before moving on to data exfiltration.
BRATA, one among the many active banking trojans, is a serious threat to victims. The latest report suggests that attacks using android malware is on the rise and attacking new targets. The best way to avoid malware is by downloading apps from Google Play Store and scanning them with an antivirus.