The BRATA Android remote access trojan began life as spyware but was upgraded to a banking trojan and now can perform a device factory reset, according to new research.
Victims of Android malware are often advised to perform a factory reset after cleaning up an infection, but BRATA now does the reset for another reason: in order to wipe any evidence after conducting an illicit wire transfer from the victim's online bank account.
BRATA or "Brazilian RAT Android" was named by Kaspersky researchers in 2019 because it exclusively targets Android users in Brazil. Since then, it has broadened its reach to US and Spain bank brands, according to McAfee.
SEE: A winning strategy for cybersecurity (ZDNet special report)
Security firm Cleafy analyzed three new BRATA variants and its researchers reckon BRATA's authors are using the factory reset in order to impede victims from discovering an unauthorized wire transfer attempt. This blocks victims from reporting and stopping a fraudulent transaction.
The factory reset acts as a kill switch that is executed after a successful illicit wire transfer or when it detects analysis by installed security software.
"It appears that [threat actors] are leveraging this feature to erase any trace, right after an unauthorized wire transfer attempt," Cleafy notes.
"In this way, the victim is going to lose even more time before understanding that a malicious action happened."
The factory reset is achieved by BRATA posing as a legitimate security app that requests the vicim grant it the powerful Android "device admin" permission, which allows the app to erase all data, change the screen lock and set password rules.
Beyond the factory reset functionality, BRATA now has the ability to monitor the victim's bank app through VNC and by using mobile keylogging techniques.
Additionally, BRATA has expanded its targets to include bank brands from the UK and Poland, in addition to existing financial brands in Italy and Latin America.
BRATA is spread using SMS that impersonates a bank and contains a link to a website where the victim is duped into downloading an anti-spam app, according to Cleafy. The fraudsters then call the victim and trick them to install the banking trojan app, which allows the attacker to capture second-factor authentication codes sent by the bank to conduct fraud.
To monitor accounts, the malicious BRATA Android apps obtain Android Accessibility Services permissions to view how victims use their banking apps. The VNC modules helps them see what's on the bank app's screen, such as the account balance and transaction history. BRATA also takes screen shots of the victim's screen and sends this information to an attacker-controlled server.