A new variant of the banking trojan BRATA has been identified and, thanks to increasingly advanced features, it is able to stealthily monitor Android users’ activities and steal their confidential information. BRATA is active again in a big way after the last malicious campaign last December 2021.

New variants of the Remote Access Trojan (RAT) are intended to target Android users by using customized overlay pages for specific banking apps and steal customers’ device codes, also presenting themselves as supposed security apps and updates.

As mentioned, BRATA has a portfolio of new features:

  • ability to perform device factory reset;
  • GPS localization capabilities;
  • ability to use multiple communication channels (HTTP and TCP) between the device and the C2 server to maintain a persistent connection;
  • ability to continuously monitor the victim’s banking application via VNC and keylogging techniques.

The new factory reset feature is designed as a true kill switch for BRATA, allowing threat actors to eliminate any traces after the compromise has been successfully completed.

For all these reasons, the best way to avoid being infected with Android BRAT trojan (and similar malware) remains to consider and apply the following good rules:

  • install apps exclusively from the Google Play Store, avoiding downloads from third-party websites;
  • Always scan websites before visiting them, using antivirus tools available online;
  • pay close attention to the permissions you are asked for when installing apps;
  • monitor the battery status and network traffic of the device to identify any anomalies that could be attributed to malicious processes running in the background;
  • provide a reliable and comprehensive antivirus tool for mobile devices.