First there was Brangelina, TomKat and Bennifer and now Kaspersky has presented the world with BRATA, or Brazilian RAT Android.
BRATA is not a power celebrity couple, but is a relatively new Android remote access tool family that, at least so far, has exclusively targeted Brazilians using Android 5.0 or higher, according to Kaspersky’s GReAT team. GReAT has found it hosted primarily in the Google Play store, and to a lesser extent on third-party Android outlets, with more than 20 variants having come to light so far.
The malicious actors behind BRATA are using a specific lure to attract initial downloads with the malware posing as an update to WhatsApp to patch CVE-2019-3568, a buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution. However, instead of patching that issue the malware has a real-time keylogging feature. Additionally, it uses Android’s Accessibility Service feature to interact with other applications installed on the user’s device.
Besides keylogging BRATA enables the threat actors to view the device screen in real-time, can disable the display while running actions in the background, retrieve certain Android and Google account data, remotely unlock the device and launch and uninstall applications from the device.
The fake update app has been downloaded about 10,000 times from Google Play.