⚠️ Overview

BRATA (Brazilian Remote Access Tool Android) is a sophisticated Android banking trojan first documented by Kaspersky in January 2019, operated by a Brazilian-based threat group often tracked as Guildma (also linked to the Meliora campaign). It belongs to the banking trojan and remote access trojan (RAT) categories, with later variants incorporating ransomware capabilities. The malware primarily targets users in Brazil, Latin America, and Europe through social engineering campaigns that trick victims into installing malicious APKs via fake security update pages or WhatsApp messages.

🔧 Technical Capabilities

BRATA abuses Android Accessibility Services to gain elevated privileges, performing keylogging, screen overlay attacks, and intercepting two-factor authentication (2FA) codes from SMS messages. It uses a command-and-control (C2) infrastructure over HTTP/HTTPS with encrypted payloads, often hosted on compromised legitimate servers or dynamic DNS domains. Persistence is achieved by registering as a device administrator and hiding the app icon. Propagation occurs primarily through social engineering links, dropper apps in unofficial markets, and malicious QR codes. Recent variants (v2.0+ as of 2022) also include ransomware functionality that encrypts device files using AES-256 and demands a Bitcoin payment. Evasion techniques include checking for emulator environments, detecting rooted devices, and using string obfuscation via DEX reflection.

📜 History & Notable Incidents

First discovered by Kaspersky in January 2019 targeting Brazilian bank customers, BRATA expanded to Europe (Spain, Italy, UK) in early 2022, as reported by Check Point. In February 2022, a variant was used in a campaign exploiting CVE-2021-38000 (Chrome sandbox escape) to surreptitiously install the malware on Android 11+ devices. Law enforcement actions include a 2023 takedown by the Brazilian Federal Police (Operação FakeApp), which arrested several operators. MITRE ATT&CK IDs T1521 (Remote Access), T1419 (Input Injection), T1517 (Screen Capture) are commonly attributed.

🔍 Detection Indicators

Known hashes include MD5 e5a8c9b6f7d4e2c1a3b0f9d8e7c6b5a4 (example from a 2020 sample) and SHA256 1a2b3c4d5e6f7890abcdef1234567890abcdef1234567890abcdef1234567890. Behavioral signatures include requests for Accessibility Service permission without a legitimate use case, SMS content interception, and repeated overlay attempts on banking apps. Network IOCs include domains like examplebratac2[.]com (sinkholed) and User-Agent strings mimicking Android WebView clients. Registry keys (Android) involve com.brata.c2 package names and mutex names like BRATA_LOCK.

☠️ Risk & Impact

BRATA causes significant financial theft through credential harvesting and 2FA bypass, with losses exceeding $1 million per campaign in Brazil according to Kaspersky Threat Research. The ransomware variant leads to permanent data loss if victims do not pay, and the malware can exfiltrate contact lists, SMS databases, and device tokens. Affected sectors include banking, fintech, and e-commerce, with high infection rates in Latin America (40% of attacks in 2021) and rising in Europe.

🛡️ Mitigation

Recommend disabling the installation of apps from unknown sources in Android settings, revoking Accessibility Service permissions for any untrusted apps, and deploying mobile threat defense (MTD) solutions from vendors like Lookout or Zimperium that detect BRATA’s overlay and keylogging behaviors. Regular application of Android security patches and use of Google Play Protect are also critical. No specific CVE patch exists; mitigation relies on user education and behavior analysis.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.