Full Report
Recently, the McAfee Mobile Research Team uncovered several new variants of the Android malware family BRATA being distributed in Google... The post BRATA Keeps Sneaking into Google Play, Now Targeting USA and Spain appeared first on McAfee Blog.
Analysis Summary
# Tool/Technique: BRATA (Brazilian Remote Access Tool Android)
## Overview
BRATA is an Android Remote Access Trojan (RAT) that initially targeted Brazil but has expanded its geographic reach to include the USA and Spain. It primarily functions by abusing Android Accessibility Services to gain full control over infected devices. Recent variants operate as banking trojans, serving region/app-specific phishing pages to steal credentials, and possess sophisticated techniques for evasion and self-defense.
## Technical Details
- Type: Malware family (RAT, Banking Trojan)
- Platform: Android
- Capabilities: Full device control via Accessibility Services, keylogging, screen recording, screen lock credential capture, serving banking phishing pages.
- First Seen: Late 2018 (Named by Kaspersky)
## MITRE ATT&CK Mapping
*Note: Since BRATA targets mobile devices, the mappings below primarily reflect common mobile adversary behaviors, mapped against equivalent enterprise techniques where applicable.*
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol (Used for C2 communication)
- **TA0010 - Exfiltration**
- T1041 - Exfiltration Over C2 Channel (Sending stolen data)
- **TA0005 - Defense Evasion**
- T1562.001 - Impair Defenses: Disable or Modify Antivirus (Implied by evasion mechanisms/hiding activity)
- **TA0003 - Persistence**
- T1544.001 - Boot or Logon Autostart Execution: Service Execution (Achieved via abusing Accessibility Services upon device unlock/events)
## Functionality
### Core Capabilities
- **Accessibility Service Abuse:** Gaining elevated permissions to monitor user actions, retrieve window content, and perform automated gestures (taps, swipes) to interact with apps and settings.
- **Credential Theft:** Capturing screen lock credentials (PIN, Password, Pattern) and logging keystrokes via keylogging functionality.
- **Banking Trojan Activity:** Detecting the presence of target financial applications (based on C2 instructions) and overlaying device-specific phishing webpages to harvest banking login details.
- **Screen Recording:** Covertly recording the device screen to monitor user activities.
- **Device Control:** Maintaining remote access to the infected device.
### Advanced Features
- **Geographic Expansion:** Targeting users in the USA and Spain in addition to its original focus on Brazil.
- **Evasion Techniques:** Implementing string obfuscation and configuration file encryption.
- **Use of Commercial Packers:** Adding protection layers to hinder static and dynamic analysis.
- **Dynamic Payload Loading:** Moving core functionality to a remote server to allow easier, less detectable updates.
- **Pre-execution Check:** Some variants check if the device is deemed "worth being attacked" before downloading and executing the main payload, increasing evasion against automated analysis.
- **Social Engineering:** Posing as legitimate-looking app security scanners or necessary updates (Chrome, WhatsApp, PDF Reader) distributed via Google Play.
- **Hiding Mechanism:** Upon gaining accessibility permissions, the application icon is hidden, and a black screen with the text "Updating" is displayed to mask automated actions.
## Indicators of Compromise
- File Hashes: (Not provided in the text)
- File Names: Apps detected in Google Play included "DefenseScreen." Look for apps promising security scanning or critical updates.
- Registry Keys: (Not applicable/provided for Android)
- Network Indicators: Communication relies on a remote command and control server (C2) that dictates which phishing pages to serve based on device language/installed apps. (Specific domains/IPs were not provided, but C2 communication is a key indicator).
- Behavioral Indicators: Persistent requests for Accessibility Service permissions, immediate hiding of the application icon after setup, high resource utilization in the background, and the sudden appearance of banking login overlays not associated with genuine apps.
## Associated Threat Actors
- Threat actors operating the BRATA malware are actively developing and updating new variants and publishing them via Google Play.
## Detection Methods
- Signature-based detection: McAfee Mobile Security detects this threat as **Android/Brata**.
- Behavioral detection: Monitoring for the installation of apps that aggressively request Accessibility Service permissions, especially when disguised as utilities or security cleaners.
- YARA rules: (Not provided in the text)
## Mitigation Strategies
- **User Education:** Avoid clicking links from untrusted sources that claim to be security software needing system updates; be highly cautious of apps promising system scanning.
- **Permissions Scrutiny:** Be wary of granting Accessibility Service permissions to any application, as Android explicitly warns this allows the app to observe actions and perform gestures.
- **App Vetting:** Verify the legitimacy of security and utility applications before installation, even if found on Google Play.
- **Endpoint Protection:** Employ mobile security solutions (like McAfee Mobile Security) capable of detecting known malware families.
## Related Tools/Techniques
- **Banking Trojans/RATs:** Other malware capable of stealing banking credentials or gaining full device control on Android platforms. The article mentions other topics related to mobile threats (SpyAgent, AsyncRAT), suggesting a landscape of evolving Android threats.