Cybersecurity expert group Cleafy said the threat actors behind the BRATA Android malware are now operating according to an Advanced Persistent Threat (APT) activity pattern.
Writing in a blog post on Friday, Cleafy confirmed it first detected three main BRATA variants at the end of 2021, mainly in Great Britain, Italy and Spain. The hacker group would have then changed its attack patterns in recent months.
“Threat Actors behind BRATA now target a specific financial institution at a time, and change their focus only once the targeted victim starts to implement consistent countermeasures against them,” the Cleafy team wrote.
“Then, they move away from the spotlight, to come out with a different target and strategies of infections.”
Cleafy dubbed the new malware variant BRATA.A and highlighted its new features in an advisory within their blog post.
“As we highlighted through our metrics, when a new release comes out there are also new features that make it more dangerous. [The] BRATA.A variant has been spotted in EU territory posing as specific bank applications, including some internal changes.”
The first of these new features is a phishing technique that involves the creation and deployment of a fake login page mimicking the design of the targeted bank’s website in order to harvest credentials from unaware users.
“It’s worth mentioning that, at the time of writing, this information seems to be under development,” Cleafy clarified.
“This hypothesis is supported by the fact that there is no data exchange between the victim device and the TA infrastructure. ”
Secondly, BRATA.A now features new classes in charge to acquire GPS, overlay, SMS and device management permissions. This could aid malicious actors to obtain two-factor authentication (2FA) codes and physical location information necessary to login into bank accounts.
“Once installed, the pattern of the attack is similar to other SMS stealers. This consists in the malicious app asking the user to change the default messaging app with the malicious one to intercept all incoming messages.”
Finally, the mobile malware can now reportedly sideload a piece of code downloaded from its C2 to perform Event Logging on infected devices.
“[…] This feature seems to be under development too. However, our hypothesis is that TAs are trying to extend the functionality of the malware to get data from other applications, abusing the Accessibility Service,” Cleafy added.
According to the cybersecurity researchers, the original BRATA malware was distributed through fake antivirus or other common apps, while during the new campaigns, it took the shape of an APT attack targeting customers of a particular Italian bank.
“The latter trend […] seems to be the attack pattern that TAs are going to use in the coming year… They usually focus on delivering malicious applications targeted to a specific bank for a couple of months and then moving to another target.