BRATA trojan becomes more threatening against financial applications

BRATA Trojan Android Mobile Malware Cyberthreat Financial Applications 2FA Codes

The BRATA banking trojan has upped its games by evolving and improving its capabilities. Based on reports, the trojan has now included an information-stealing ability to target financial applications. Moreover, BRATA has shown that it can now execute an extensive persistence in the targeted entity while harvesting essential information.

Some of the new changes in the BRATA trojan were shown by its operators in its recent activities since it has now behaved like an Advanced Persistent Threat (APT). The banking trojan now sports a pre-loaded phishing overlay instead of acquiring a list of installed applications and getting the corresponding injections from the command-and-control for limiting the malicious network traffic.

The BRATA operators also updated its trojan with new phishing methods, new classes to request privileges on the infected device, and deployed a second-stage payload from the command-and-control server.

This banking trojan also became wiser as it now focuses on a single financial institution target per campaign. The operators only commit simultaneous attacks whenever their focused attack is inefficient by security products and countermeasures.


BRATA trojan can now also intercept codes.


Some researchers also noticed that BRATA had added more permissions to send and receive messages. Therefore, temporary codes like one-time passwords and 2FAs from the banks to their clients can be intercepted by the BRATA operators.

In addition, BRATA obtains a ZIP archive from the command-and-control server, including a JAR package coded as unrar[.]jar.

Furthermore, the researchers spotted an SMS stealer applicating using the same BRATA communication infrastructure, framework, and class names. This detail signifies that BRATA had also changed its TTPs.

The stealer application is exclusive to harvesting short text messages and targets Spain, Italy, and the UK. The app urges the target to set it as a default application for messages actions to intercept SMS.

Cybersecurity experts highlighted that the latest campaign of BRATA is an APT pattern that will continue to evolve in the coming months. Experts recommend that users download applications from trusted sources to stay protected from evolving threats and monitor every application’s behaviour after installation.

About the author

Leave a Reply