BROTHER, an Android malware, has gained dangerous new features in its latest version, including GPS tracking, the ability to utilize multiple communication channels, and a function that performs a factory reset of the device to clean all traces of malicious activity. The last time the virus was seen was in the year 2019, where Kaspersky reported that it located the malware as an Android RAT (remote access tool) and that Brazilians were the most targeted audience.
A December 2021 report by Cleafy pointed out that BRATA appeared in Europe. E-banking users had their credentials stolen when they were tricked by fraudsters posing as the bank’s customer support agents. The malware has continued to be monitored since then and recently, the website bleepingcomputer reported that a new report was published showing the evolution of the virus.
BRATA has customized versions for different audiences
The latest versions of the BRATA malware hit e-baking users in the UK, Poland, Italy, Spain, China and Latin America. There are several variants of the virus in different banks with dedicated overlays, languages and modifications for different audiences.
BRATA developers use similar obfuscation techniques across all versions, for example wrapping the APK file in an encrypted JAR or DEX package. This technique makes antivirus not detect the presence of malware. In this way, BRATA actively searches for AV presence signals on the device and attempts to exclude detected security tools before proceeding to the data exfiltration step.
New features in the latest versions of BRATA that have been identified by Cleafy include keylogging functionality, which brings the screen capture function. In addition, the malware now has GPS tracking, but its exact purpose is not known at this time.
The scariest change in the new BRATA update is the factory reset. This malware function is used in the following situations:
- The compromise completed successfully and the fraudulent transaction ended (ie the credentials were exfiltrated).
- The application has detected that it runs in a virtual environment, most likely for analysis.
Factory reset is used by BRATA as a kill switch for self-protection. However, by “wiping” the device, the victim can irreversibly lose important data.
New communication channels were added to BRATA to exchange data with the C2 server and now support HTTP and WebSockets. By utilizing WebSockets, criminals can utilize a direct, low-latency channel ideal for real-time communication and live manual exploitation. In addition, WebSockets do not need to send headers for each connection, so traffic volume is reduced and the chances of detection are minimized.
Tips to stay safe
The best way to avoid getting infected with malware on Android is to install apps from Google Play, avoid APKs from dubious websites. When installing apps, always pay attention to the permissions that are requested and avoid granting access to those that are unnecessary for the app’s core functionality.