Researchers at Kaspersky Lab have discovered a new Android backdoor, BRATA, which has attacked exclusively Brazilian users since January. The authors of the malware managed to upload it to Google Play, where experts counted more than 20 variations of the program.Analysts called their find BRATA – “Brazilian RAT Android”. On Google Play, the Trojan masked itself as WhatsApp updates – in particular, attackers promoted it as a patch for CVE-2019-3568.
The vulnerability was widely reported in May this year, when human rights defenders uncovered an espionage campaign based on it.
According to experts, the false patch was installed by more than 10 thousand users.
“Once a victim’s device is infected, ‘BRATA’ enables its keylogging feature, enhancing it with real-time streaming functionality. It uses Android’s Accessibility Service feature to interact with other applications installed on the user’s device”, , — said researchers.
The main purpose of BRATA is keylogging with the ability to transmit data in real time. In its work, the Trojan uses the Accessibility Service, which allows interacting with other applications on the infected device.
Analysts found the following functions in the malware code:
- Getting information about the installed OS, device features, current user and his Google accounts;
- Launching installed applications with the parameters specified in the received JSON file. Record and send screenshots to operators;
- Sending text data to a remote server;
- Sending the user an unlock request, remote unlocking the device;
- Turn off the smartphone or tablet, turn off the screen to perform operations in the background;
- Removing the malware and all traces of its activity.
Attackers distribute BRATA via malicious SMS and WhatsApp mailings. In addition, they use push notifications on hacked sites and purchase ads on Google search.