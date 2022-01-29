Photo : Rafael Henrique/SOPA Images/LightRocket ( Getty Images )

The investigation published earlier this week shows that a nasty Android banking malware has evolved, bringing with it a number of startling new features, including the ability to factory reset your device after stealing your money.

The malware in question is called BRATA, short for “Brazilian Remote Access Tool for Android”. As expected from its name, it originally appeared in Brazil several years ago, but has since spread to many other parts of the world. Researchers at security firm Cleafy they wrote this week that the latest version of the malware, first detected in December, has a number of additional features that give criminals an even greater advantage over their victims than previous iterations.

Technically, BRATA is a banking trojan, which means that it is designed to steal money from banking applications or other financial services. It is also a RAT (Remote Access Tool), which is a generic term for a program that can remotely deploy code to a device. Criminals often use RATs to spread malware.

BRATA developers have been known to use fake Trojan apps to infiltrate victims’ phones. Such apps can be trafficked to Google Play or other legitimate sites, where they then catch users off guard. Once the apps are downloaded, they ask for intrusive permissions that allow malware operators to gain intimate access to the user’s device.

Trojans frequently come with keyloggers and other spyware capabilities, and BRATA is no exception. Using the Trojan, the criminals will actually deploy fake login pages on the user’s phone, which then allows them to harvest credentials for electronic banking accounts, the researchers write.

The newest version now includes an added capability that allows hackers to erase any evidence of their misdeeds by factory resetting a device after stealing it for cash. “This mechanism represents a kill switch for this malware,” the researchers write, noting that factory reset is frequently observed after a “bank fraud has been successfully completed.” In this way, the victim “is going to lose even more time before understanding that a malicious action occurred,” they point out. In other words, the factory reset mechanism is designed to surprise the victim while cybercriminals make off with their assets.

But factory reset has also been witnessed at times when BRATA Trojan applications were installed in a virtual environment, according to the researchers. This is interesting, because researchers often install malicious programs in virtual environments to study them safely. The idea, then, is that the BRATA developers can start the malware implosion to avoid analysis of the software code, thereby preventing analysts from reverse engineering their programming.

Previous versions of BRATA have been seen previously in the US, and the newer version has recently been seen targeting banking institutions in the UK, Poland and Italy, the researchers wrote.

Given BRATA’s reliance on Trojan applications, the best course of action for protection is to scan every application you download, something that you should definitely be doing it anyway. At the beginning of 2021, it was informed that the BRATA applications had sneaked into the Google Play store, although subsequently removed. In general, you should stick to apps that are known and trustworthy, and avoid programs found on dubious third-party sites, so you don’t end up with a phone riddled with malware.