Cybercriminals have recently increased their use of banking trojans, which continue to become more effective as they evolve.
For example, Brazilian Remote Access Tool Android (BRATA) was originally spyware for Android devices, but has now been upgraded to a banking trojan. Hackers have developed multiple versions of BRATA, depending on its intended target.
BRATA’s most malicious change is that it can now perform a factory reset on the target device, preventing victims from detecting unauthorized wire transfers. A factory reset indicates that either BRATA has successfully compromised the device and completed the transaction, or it has detected that it’s running in a virtual environment and is attempting to avoid dynamic analysis by anti-virus (AV) software. BRATA primarily uses this capability as a kill switch, but it also discourages users from wiping the device as this action could result in an irreversible loss of data.
Security firm Cleafy reports that a downloader is propagating BRATA to evade detection by antivirus solutions. BRATA also scans the target device for AV software and attempts to remove it before exfiltrating data. In addition, it’s capable of GPS tracking and using several methods to maintain communications between the device and command and control (C2) malware. Furthermore, BRATA continuously monitors the victim’s banking apps with techniques such as keylogging and Virtual Network Computing (VNC).
Variants
Three new variants of BRATA have attacked financial institutions in China, Italy, Latin America, Poland, the U.K and Spain. Each one is specifically designed for different targets, including unique apps, languages and overlays. However, all versions use the same techniques to avoid detection by AV software, including enclosing its Android Application (APK) file into an encrypted Data Exchange (DEX) or Java Archive (JAR) package.
Protection
BRATA relies on social engineering techniques to infect target devices. The best ways of protecting your devices from this type of malware include conducting research on apps you want to download, not using links from untrusted sources and subscribing to a mobile AV program.
An app isn’t necessarily legitimate just because it’s listed on App Store or Google Play. Check the number and quality of reviews before downloading any app. An app that has only a few vague reviews is probably either new or fake. Check the app developer’s history to ensure they have a good reputation before downloading one of their apps.
Never click on any links in an email message if you aren’t sure who sent it. A message with many writing errors is also suspicious, especially if it purports to come from a legitimate business. Phishing emails often rely on creating a sense of urgency to coerce recipients into responding without examining the sender’s address. Call the company’s customer service number directly to verify the email’s authenticity before responding, especially if the email claims to be from a financial institution.
Subscribe to an antivirus product for mobile devices like McAfee Mobile Security. This app uses various techniques to protect Android devices and iPhones, including scanning for malicious apps, safe surfing, and locating lost or stolen devices. Also, use caution when granting permissions to a new app by ensuring those permissions are related to the app’s core functionality.
BRATA is one of many banking trojans that are currently active, which poses a major financial threat. The latest changes in BRATA indicate its creators are developing new features intended to customize it for new targets. The same techniques that are effective against other social engineering-based attacks should also protect your device from BRATA.
Android flickr photo by Inteaux shared under a Creative Commons (BY) license