New Variant of BRATA Banking Trojan Infecting Android Devices

Android OS Mobile Networks and Telephones
Advisory ID:
January 28, 2022


New variants of the BRATA banking trojan have been discovered to be targeting global Android devices since November 2021 with advanced features, including the ability to wipe devices after stealing user data, tracking devices via GPS, and novel obfuscation techniques. The remote access trojan (RAT), which targets banks and financial institutions, is now being distributed through a downloader to avoid being detected by antivirus (AV) solutions.

Description & Consequence

This malware initially targeted Brazilian users and therefore called Brazilian Remote Access Tool Android (BRATA). Recently, the malware has been reported to be currently targeting banks and financial institutions in Italy, Latin America, Poland and the United Kingdom with the potential of spreading to more countries across the globe. The malware has received many upgrades and changes with capability of remaining undetected by virtually all malware scanning engines and is used to download and run real malicious software. After a victim unknowingly installs the downloader app, they only need to accept one permission to download and install a malicious application from an untrusted source. When the victim clicks the install button, the downloader app sends a GET request to the C2 server to download the malicious .APK. In some cases, the link redirects the victim to a phishing page that looks like the bank’s, and it is used to steal credentials and other relevant information (e.g. pin code, password and security questions).Once the malicious app is installed, the fraud operators can take control of the victim infected devices to perform the following:

  • Through the Accessibility Service, the malware clicks the “start now” button (of the popup) automatically, so the victim is not able to deny the recording/casting of the owned device.
  • Remove itself from the compromised device to reduce detection.
  • Uninstall specific applications (e.g., antivirus).
  • Hide its own icon app to be less traceable by not advanced users.
  • Disable Google Play Protect to avoid being flagged by Google as suspicious app.
  • Modify the device settings to get more privileges.
  • Unlock the device if it is locked with a secret pin or pattern.
  • Show phishing page.
  • Abuse the accessibility service to read everything that is shown on the screen of the infected device or to simulate click on the screen. This information is then sent to the C2 server of the attackers.

The screen recording and casting capabilities allows the malware to capture any sensitive information displayed on the screen. This includes audio, passwords, payment information, photo, and messages. The malware also intercept SMS messages and forward them to a Command & Control (C2) server which is then used to get Two-Factor Authentication (2FA) sent by the bank via SMS during the login phase or to confirm money transactions.


  1. The best way to avoid becoming a victim is to ensure vigilance in what apps you install on your device.
  2. Avoid granting unnecessary accessibility permissions or administrator permissions to any app and only install apps from recognized distribution platforms.
  3. When opening an email from an untrusted source, or emails from a trusted source that contain unusual content or requests, users should not click links, execute files, or open Microsoft Office documents.
  4. Users should be on the lookout for unusual activity on banking and financial services websites. They should pay close attention to new login fields that they haven't seen before, especially when they request personal information.




Related Articles