BRATA Malware Poses as Android Security Scanners on Google Play Store


Level 85
Thread author
Top poster
Content Creator
Malware Hunter
Aug 17, 2014
A new set of malicious Android apps have been caught posing as app security scanners on the official Play Store to distribute a backdoor capable of gathering sensitive information.

"These malicious apps urge users to update Chrome, WhatsApp, or a PDF reader, yet instead of updating the app in question, they take full control of the device by abusing accessibility services," cybersecurity firm McAfee said in an analysis published on Monday.

The apps in question were designed to target users in Brazil, Spain, and the U.S., with most of them accruing anywhere between 1,000 to 5,000 installs. Another app named DefenseScreen racked up 10,000 installs before it was removed from the Play Store last year.
First documented by Kaspersky in August 2019, BRATA (short for "Brazilian Remote Access Tool Android") emerged as an Android malware with screen recording abilities before steadily morphing into a banking trojan.

"It combines full device control capabilities with the ability to display phishing webpages that steal banking credentials in addition to abilities that allow it capture screen lock credentials (PIN, Password or Pattern), capture keystrokes (keylogger functionality), and record the screen of the infected device to monitor a user's actions without their consent," McAfee researchers Fernando Ruiz and Carlos Castillo said.

The apps that distribute the backdoor alert unsuspecting users of a security issue on their devices, prompting them to install a fake update of a specific app (e.g., Google Chrome, WhatsApp, and a non-existent PDF reader app) to address the problem.

Once the victim agrees to install the app, BRATA requests permissions to access the device's accessibility service, abusing it to capture lock screen PIN (or password/pattern), record keystrokes, take screenshots, and even disable the Google Play Store.