A new malicious Android remote access tool (RAT) dubbed BRATA was observed by Kaspersky researchers while spreading via WhatsApp and SMS messages to infect and spy on Brazilian users.

The new RAT was named based on its “Brazilian RAT Android” description by the Kaspersky Global Research & Analysis Team (GReAT) researchers who spotted it in the wild in January.

Until now, the researchers have discovered more than 20 unique BRATA variants in Android apps delivered via the Google Play Store, with some also having been found on unofficial Android app stores.

RAT was delivered through the official Google Play Store and also via unofficial Android app stores. The experts have already discovered more than 20 unique BRATA variants in Android apps on the Play Store.

Most of the tainted apps pose as an update to the popular instant messaging application WhatsApp that would address the CVE-2019-3568 flaw in the instant messaging application. Once the malware has infected the victim’s device, it will start keylogging feature, enhancing it with real-time streaming functionality. The malware leverages the Android Accessibility Service feature to interact with other applications installed on the victim’s device.

BRATA supports many commands, such as unlocking the victims’ devices, collecting device information, turning off the device’s screen to surreptitiously run tasks in the background, executing any particular application and uninstall itself and removes any infection traces.

“It is worth mentioning that the infamous fake WhatsApp update registered over 10,000 downloads in the official Google Play Store, reaching up to 500 victims per day,” concludes Kaspersky.

Indicators of Compromise

MD5

  • 1d8cf2c9c12bf82bf3618becfec34ff7
  • 4203e31024d009c55cb8b1d7a4e28064
  • 4b99fb9de0e31004525f99c8a8ea6e46

For more cybersecurity information contact us at help@theweborion.com