The operators behind BRATA have once again added more functionality to the Android mobile malware in an effort to make their attacks on financial apps more stealthy.

“In fact, the modus operandi now fits into an Advanced Persistent Threat (APT) activity model,” Italian cybersecurity firm Cleafy said in a report last week. “This term is used to describe an attack campaign in which criminals establish a long-term presence on a targeted network to steal sensitive information.”

An acronym for “Brazilian Remote Access Tool Android”, BRATA was first detected in the wild in Brazil in late 2018, before making its first appearance in Europe last April, while masquerading as antivirus software and other common productivity tools to entice users to download. .

The change in attack pattern, which reached new heights in early April 2022, involves tailoring the malware to hit one specific financial institution at a time, only switching to another bank after the victim has began to implement countermeasures against the threat.

New features are also embedded in the malicious applications that allow it to impersonate the financial institution’s login page to collect credentials, access SMS messages, and load a second-stage payload ( “unrar.jar”) from a remote server to log events. on the compromised device.

“The combination of the phishing page with the ability to receive and read the victim’s text messages could be used to perform a full account takeover (ATO) attack,” the researchers said.

Additionally, Cleafy said it found a sample separate Android application package (“SMSAppSicura.apk”) that used the same command-and-control (C2) infrastructure as BRATA to siphon SMS messages, indicating that the actors of the threat are testing different methods to extend their reach.

The text-stealing app is said to specifically target users in the UK, Italy and Spain, with the aim of being able to intercept and exfiltrate all incoming messages related to one-time passwords sent by banks.

“Early malware campaigns were delivered via fake antivirus or other common applications, while during the campaigns the malware takes on the guise of an APT attack against a specific Italian bank’s customer,” they wrote. said the researchers.

“They usually focus on delivering malicious apps targeted at a specific bank for a few months and then another target.”