BRATA Malware Poses as Android Security Scanners on Google Play Store

On the official Play Store, a new group of malicious Android apps have been discovered posing as app security scanners in order to spread a backdoor capable of gathering sensitive information.

"These malicious apps urge users to upgrade Chrome, WhatsApp, or a PDF reader, but instead of upgrading the app in question, they take complete control of the system by exploiting accessibility services," according to McAfee, a cybersecurity company.

The apps in question were created with users in Brazil, Spain, and the United States in mind, and most of them have between 1,000 and 5,000 downloads. Until it was removed from the Play Store last year, another app called Defense Screen had accumulated 10,000 downloads.

BRATA (short for "Brazilian Remote Access Tool Android") began as a Brazilian malware with screen recording capabilities before gradually morphing into a banking trojan, according to Kaspersky.

"It combines full device control capabilities with the ability to display phishing webpages that steal banking credentials, as well as abilities to capture screen lock credentials (PIN, Password, or Pattern), capture keystrokes (keylogger functionality), and record the screen of the infected device to monitor a user's behaviour without their consent," McAfee researchers Fernando Ruiz and Fernando Ruiz explained.

Unsuspecting users are alerted to a security issue on their computers by the applications that distribute the backdoor, causing them to install a fake update to a particular app (e.g., Google Chrome, WhatsApp, and a non-existent PDF reader app) to fix the problem.

After the victim agrees to install the software, BRATA demands access to the device's accessibility program, which it then abuses to catch the lock screen PIN (or password/pattern), record keystrokes, take screenshots, and even disable the Google Play Store.

The idea is to disable Play Protect, a feature that runs a preemptive safety check on apps before they're downloaded from the app store and checks Android devices for potentially dangerous apps and prevents them, by disabling the Play Store app.

New versions of BRATA, interestingly, provide additional obfuscation and encryption layers, as well as the relocation of much of the core features to a remote attacker-controlled server, enabling attackers to easily upgrade the malware and hack the devices it was installed on while remaining undetected.

"BRATA is yet another example of how effective (ab)use of accessibility services is, and how, with just a little bit of social engineering and patience, cybercriminals can trick users into granting this access to a malicious app and essentially gaining complete control of the infected computer," the researchers concluded.

"Malware writers can practically get any data they want, including banking credentials, through phishing web pages or even directly from the apps themselves, by stealing the PIN, Password, or Pattern, combined with the ability to record the screen, click on any button, and intercept anything that is entered in an editable area, while also hiding all of these activities from the user."