Android Malware Poses as Security Prompt to Make Users Download Fake Updates, Take Full Control of Devices

BRATA is an Android malware that prompts a security flaw to users and subsequently make them download malicious apps to take over devices.

Android malware BRATA
Instance of a BRATA Android malware app. (Image: McAfee Labs)

A new Android malware has been reported by McAfee Labs, which seemingly prompts users about apparent security issues and tricks them into downloading a remote access tool (RAT). The latter subsequently allows hackers to remotely take over devices, and gain control over essentially anything and everything on a smartphone. Reported by McAfee researchers Fernando Ruiz and Carlos Castillo, the malware, of which there are multiple variants, appears to come from a family called BRATA – Brazilian Remote Access Tool Android.

Even though it is seemingly targeting users in Brazil, Spain and USA, the apps sporting BRATA malware can potentially infect anyone, anywhere. The malware are being spread through various apps on the Google Play Store, all of which appear to be posing as security apps for Android devices. Some apps, as McAfee’s post reveals, have between 1,000 to 5,000 downloads, while a few of these security apps have over 10,000 downloads. These apps seemingly have a set number of target apps, and once downloaded, scan phones to see if these apps are installed on the target phone. These apps include the likes of Google Chrome, WhatsApp, PDF readers and more.

Once scanned, these apps then show users that a said app (such as Chrome) needs to be updating immediately basis a security breach, and once a user taps on it, instead of downloading a legitimate update, the app downloads a malware payload that installs a backdoor on a user’s device. This backdoor is essentially a Remote Access Tool (RAT) that hackers can exploit to remotely take over a user’s smartphone, and carry out a wide range of malicious tasks.

As the researchers state about the malware, “In addition to being able to have full control of the infected device by abusing accessibility services, BRATA is now serving phishing URLs based on the presence of certain financial and banking apps defined by the remote command and control server.”

The malware family, which is among commonly found RATs on the Android ecosystem, has also evolved with time into its latest form. As described, “New BRATA variants added new protection layers like string obfuscation, encryption of configuration files, use of commercial packers, and the move of its core functionality to a remote server so it can be easily updated without changing the main application. Some BRATA variants also check first if the device is worth being attacked before downloading and executing their main payload, making it more evasive to automated analysis systems.”

Users are urged to not download unverified apps, even though they may pose themselves as security services. The BRATA malware apps gained the ability to install the RAT by taking accessibility privileges from a user, which is the key in such cyber attacks.

Thanks for reading till the end of this article. For more such informative and exclusive tech content, like our Facebook page