Fake support agents call victims to install Android banking malware

[Artifact]

The BRATA Android remote access trojan (RAT) has been spotted in Italy, with threat actors calling victims of SMS attacks to steal their online banking credentials.
The variant currently in circulation is new, and according to a report by researchers at Cleafy, it can pass undetected by the vast majority of AV scanners.
BRATA was previously seen in Brazil, delivered via apps on the Google Play Store, but it appears that its authors are now selling it to foreign operators, which is not unusual in this field.
Using fake anti-spam apps
The Italian campaign was first spotted in June 2021, delivering multiple Android apps through SMS phishing, otherwise known as smishing.
Most of the malicious apps were called “Sicurezza Dispositivo” (Device Security) and were promoted as anti-spam tools.
That first wave failed in AV detection, having a 50% stealthiness rate in Virus Total. These high detection rates led to a second wave using a new variant with extremely low detection rates in mid-October.
In the second wave, the actors also expanded their targeting scope, raising the targeted financial institutes from one to three.

AntiSPAM app promoted by the threat actors
Manual labor required
The attack begins with an unsolicited SMS text linking a malicious website. This text claims to be a message from the bank urging the recipient to download an anti-spam app.
The link leads to a page from where the victim downloads the BRATA malware themselves or takes them to a phishing page to enter their banking credentials.
During that step, the threat actors call the victim on the phone and pretend to be an employee of the bank, offering help with installing the app.

BRATA campaign in Italy
The app requires multiple permissions to enable the actor to take full control of the compromised device, including the Accessibility services, view and send SMS, make phone calls, and perform screen recording.
The full list of BRATA’s capabilities includes:

• Intercept SMS messages and forward them to a C2 server. This feature is used to get 2FA sent by the bank via SMS during the login phase or to confirm money transactions.

• Screen recording and casting capabilities that allow the malware to capture any sensitive information displayed on the screen. This includes audio, passwords, payment information, photo, and messages. Through the Accessibility Service, the malware clicks the “start now” button (of the popup) automatically, so the victim is not able to deny the recording/casting of the owned device.

• Remove itself from the compromised device to reduce detection.

• Uninstall specific applications (e.g., antivirus).

• Hide its own icon app to be less traceable by not advanced users.

• Disable Google Play Protect to avoid being flagged by Google as suspicious app.

• Modify the device settings to get more privileges.

• Unlock the device if it is locked with a secret pin or pattern.

• Display the phishing page.

• Abuse the accessibility service to read everything that is shown on the screen of the infected device or to simulate clicks (taps) on the screen. This information is then sent to the C2 server of the attackers.

Permissions requested by the BRATA app
The actors abuse these permissions to access the victim’s bank account, retrieve the 2FA code, and eventually perform fraudulent transactions.
The mule accounts used as intermediary points in this campaign are based in Italy, Lithuania, and the Netherlands.