Keypoints
- BRATA is distributed via Google Play apps posing as security scanners that request users to “update” common apps and to enable Accessibility services.
- Once Accessibility is granted, the malware hides its UI and runs in the background while communicating with a remote command-and-control (C2) server.
- Post-compromise capabilities include stealing lock-screen PIN/password/pattern, screen recording/screenshots, keylogging, UI interaction (automated taps/swipes), clipboard and text injection, and unlocking the device.
- BRATA serves phishing webpages tailored to installed banking apps; recent variants include targets in Spain and the USA in addition to Brazil.
- Evasion techniques include string obfuscation, encryption of configuration assets, use of commercial packers, moving core functionality to remote servers, and device/language checks before fetching the main payload.
- The malware can automate granting permissions, hide media-projection warnings, disable Google Play/Play Protect, and uninstall itself if exposed in Settings.
MITRE Techniques
- No specific MITRE ATT&CK technique IDs are enumerated in the article – the post references “Figure 10. MITRE ATT&CK Mobile for BRATA” but does not list explicit [Txxxx] technique identifiers or named techniques in the text.
Indicators of Compromise
- [File Hashes] App SHA256 samples – 4cdbd105ab8117620731630f8f89eb2e6110dbf6341df43712a0ec9837c5a9be, d9bc87ab45b0c786aa09f964a8101f6df7ea76895e2e8438c13935a356d9116b, and 3 more hashes
- [Package Names] Malicious app package names found on Google Play – com.outprotect.android, com.defensescreen.application, and 3 more packages
- [Domains] C2/phishing infrastructure examples – bialub[.]com, brorne[.]com, jachof[.]com
BRATA is deployed through repackaged Android apps on Google Play that impersonate legitimate security tools and prompt users to “update” common apps (Chrome, WhatsApp or a PDF reader) based on device language. The social-engineering flow opens Android Accessibility settings and instructs the user to enable the malicious accessibility service; after permission is granted the app hides its icon, displays a black “Updating” screen, and operates invisibly while maintaining persistent communication with a remote registration/C2 server.
With Accessibility permissions active, BRATA executes a wide command set delivered by the C2: capture screen and screenshots, log keystrokes, inject or read UI text and clipboard, perform gestures (taps/swipes) to grant permissions or interact with apps, steal and validate device lock PIN/password/pattern via a fake confirmation screen, unlock the device, start/schedule activities, and hide or unhide incoming calls. It also automates defensive actions such as dismissing the media-projection warning, clicking “Allow” on permission dialogs, disabling Google Play/Play Protect, and self-uninstalling if its settings page appears.
To avoid detection and enable flexible updates, recent BRATA variants offload core functionality to remote servers that register infected devices, supply updated lists of targeted banking apps and phishing URLs, and provide the actual command server IP/port. Additional evasion measures include string obfuscation, encryption of configuration assets, country/language gating and checks to determine whether to fetch the payload, and the use of commercial packers to hinder static and dynamic analysis. The malware serves localized phishing webpages when specific banking apps are present, expanding targets from Brazil to include Spanish- and English-language users in Spain and the USA.