September 30, 2023

The new version of the BRATA Android malware  with new features, including GPS tracking and a functionality to perform a factory reset on the device.

The BRATA RAT was first detected spreading via WhatsApp and SMS messages. The RAT was delivered through the official Google Play Store and also via unofficial Android app stores.


Ingeneral the tainted mobile apps pose as an update to the popular instant messaging application WhatsApp that would address the CVE-2019-3568 flaw. Once the malware has infected the victim’s device, it will start keylogging feature, enhancing it with real-time streaming functionality. The malware leverages the Android Accessibility Service feature to interact with other applications installed on the victim’s device.

BRATA Malware supports many commands, such as unlocking the victims’ devices, collecting device information, turning off the device’s screen to surreptitiously run tasks in the background, executing any particular application and uninstall itself and removes any infection traces.

The latest version of the Android RAT is targeting e-banking users in the UK, Poland, Italy, Spain, China, and Latin America. It uses tailored overlay pages to targeted specific banking application and steal user’s PIN. To avoid detection they used to obfuscate.

Below is the list of new features in the latest BRATA versions:

  • Capability to perform the device factory reset: it appears that TAs are leveraging this feature to erase any trace, right after an unauthorized wire transfer attempt.
  • GPS tracking capability
  • Capability to use multiple communication channels (HTTP and TCP) between the device and the C2 server to keep a persistent connection.
  • Capability to continuously monitor the victim’s bank application through VNC and keylogging techniques.

The factory reset feature allows threat actors to delete any traces when the compromise has been completed or when the application detects it is running in a virtual environment used to analyze it.

The recent evolution of the BRATA RAT suggests that threat actors continue to improve it in the attempt to extend its audience of potential targets.

Indicators of Compromise

  • 220ec1e3effb6f4a4a3acb6b3b3d2e90
  • e664bd7951d45d0a33529913cfbcbac0
  • 2dfdce36a367b89b0de1a2ffc1052e24
  • 5[.]39[.]217[.]241

Leave a Reply

%d bloggers like this: