New Android Malware Performs Factory Reset after Stealing your Money
A new Android malware, called BRATA, is a banking Trojan that can perform a factory reset in order to wipe any evidence of an illicit wire transfer that it performs from a victim’s online bank account.
BRATA, or “Brazilian RAT Android”, was named by Kaspersky researchers in 2019 because it exclusively targeted Android users in Brazil. It has now broadened its reach to US and Spain bank brands according to McAfee.
Security firm Cleafy analyzed three new BRATA variants and determined that BRATA’s authors are using the factory reset in order to impede victims from discovering an unauthorized wire transfer. This blocks victims from reporting and stopping fraudulent transactions.
The factory reset acts essentially as a kill switch. The reset is executed after an illicit wire transfer or when it is detected by an installed security software.
“It appears that [threat actors] are leveraging this feature to erase any trace, right after an unauthorized wire transfer attempt,” Cleafy notes.
“In this way, the victim is going to lose even more time before understanding that a malicious action happened.”
To perform the factory reset, BRATA poses as a legitimate security app that requests the victim grant it “device admin” permission, allowing it to erase all data, change the screen lock and set password rules.
Beyond just the reset, BRATA is now able to monitor the victim’s banking app through VNC and by using mobile keylogging techniques.
BRATA is spread using SMS that impersonates a bank and contains a link to a website where victims are tricked into downloading an anti-spam app. The cybercriminals then call the victim, asking them to install the banking Trojan app. This allows the attacker to capture second-factor authentication codes sent by the bank to conduct the fraud.
BRATA obtain Android Accessibility Services permissions to view how a victim uses their banking apps. The VNC modules help them see what’s on the bank app’s screen, such as account balance and transaction history. BRATA can also take a screenshot of the victim’s screen and send this information to an attacker-controlled server.
Story via ZDNet.com