Recently, McAfee’s mobile research team has discovered new variants of FluBot-like malware infiltrating our Android devices. In this case we are going to talk about BRATA, a virus that is distributed from the Google Play Store and posing as application security scanners.

When we learned of the existence of secure applications that eliminated FluBot, we already feared that something similar would happen. Who did not see it coming?

According to the McAfee article, these malicious applications urge users to update Chrome, WhatsApp, or a PDF reader, but instead of updating the application in question, they take full control of the device by abusing accessibility services.

Recent versions of BRATA were also observed serving web pages of phishing Aimed at users of financial institutions in various countries, from Brazil (place of origin) and the United States to Spain.

What is BRATA?

First seen in late 2018 and called “Brazilian Android Remote Access Tool” (BRATA) by Kaspersky, this “RAT” It initially targeted users in Brazil and then quickly became a banking Trojan. “Combines full device control capabilities with the ability to display phishing web pages that steal bank credentials, plus capabilities that allow you to capture screen lock credentials (PIN, password or pattern), capture keystrokes (keylogger functionality) and record the screen of infected devices to monitor the actions of a user without their consent. ”

However, the most interesting thing about this malware It is the way in which it is distributed, since it does it from the Google application store, Play Store.

Its distribution on Google Play

BRATA is mainly distributed on Google Play, making it easier for a person to download an application. BRATA makes users install these malicious applications pretending there is a security problem on the victim’s device and requesting to install a malicious app to fix the problem. The real security problem starts when the victim heeds this warning and downloads the unknown program.

Given the ruse, McAfee recommends avoiding clicking links from untrusted sources that claim to be security software that scans and updates your system, even if that link leads to a app on Google Play.

DefenseScreen reached 10,000 downloads before being removed from Google Play.McAFee

During 2020, the actors behind BRATA They have managed to publish several applications on Google Play, most of them reaching between one thousand and five thousand downloads. However, also some variants have reached 10,000, including the last one, DefenseScreen, reported to Google by McAfee in October and later removed from Google Play.

A banking Trojan

In addition to being able to have full control of the infected device by abusing accessibility services, BRATA now offers phishing URLs based on the presence of financial and banking applications. So, be very careful if you have banking applications installed on your mobile phone.

An expansion similar to FluBot

As we have already seen in previous news, FluBot is a malware that affected devices through the use of SMS, pretending to be the Post Office or FedEx. This virus affected more than 60,000 mobile devices and its geographic expansion is enormous; However, it seems that BRATA follows the same path; We know that it initially started in Brazil, but recently its attacks have been affecting users in Spain and the United States. And although he has just landed as who says in our country, McAfee assures that some BRATA variants also first check if the device is worth attacking before downloading and executing its main payload, what makes it more elusive for automated analysis systems.

So, as prevention is better than cure, don’t download anything from the Play Store that is related to the safety of the devices and thus we will avoid any problem.

