{"id":3986,"date":"2021-12-04T19:03:56","date_gmt":"2021-12-04T13:33:56","guid":{"rendered":"https:\/\/xiarch.com\/blog\/?p=3986"},"modified":"2021-12-04T19:03:58","modified_gmt":"2021-12-04T13:33:58","slug":"unauthorized-support-agents-call-victims-to-install-android-banking-trojan","status":"publish","type":"post","link":"https:\/\/xiarch.com\/blog\/unauthorized-support-agents-call-victims-to-install-android-banking-trojan\/","title":{"rendered":"Unauthorized Support Agents Call Victims to Install Android Banking Trojan"},"content":{"rendered":"\n
The BRATA Android remote access trojan (RAT) has been spotted in Italy, with threat actors calling victims of SMS attacks to steal their online banking credentials. The variant currently in circulation is new, and according to a report by researchers at Xiarch, it can pass undetected by the vast majority of AV scanners.<\/p><\/p>\n\n\n\n
BRATA was previously seen in Brazil, delivered via apps on the Google Play Store, but it appears that its authors are now selling it to foreign operators, which is not unusual in this field.<\/p><\/p>\n\n\n\n
The Italian campaign was first spotted in June 2021, delivering multiple Android apps through SMS phishing, otherwise known as smishing. Most of the malicious apps were called \u201cSicurezza Dispositivo\u201d (Device Security) and were promoted as anti-spam tools.<\/p><\/p>\n\n\n\n
That first wave failed in AV detection, having a 50% stealthiness rate in Virus Total. These high detection rates led to a second wave using a new variant with extremely low detection rates in mid-October. In the second wave, the actors also expanded their targeting scope, raising the targeted financial institutes from one to three.<\/p><\/p>\n\n\n\n
<\/figure><\/div>\n\n\n\n
What are Manual labor Requirement?<\/strong><\/h2>\n\n\n\n
The attack begins with an unsolicited SMS text linking a malicious website. This text claims to be a message from the bank urging the recipient to download an anti-spam app. The link leads to a page from where the victim downloads the BRATA malware themselves or takes them to a phishing page to enter their banking credentials.<\/p><\/p>\n\n\n\n
During that step, the threat actors call the victim on the phone and pretend to be an employee of the bank, offering help with installing the app.<\/p><\/p>\n\n\n\n
<\/figure><\/div>\n\n\n\n
The app requires multiple permissions to enable the actor to take full control of the compromised device, including the Accessibility services, view and send SMS, make phone calls, and perform screen recording.<\/p><\/p>\n\n\n\n
The full list of BRATA\u2019s capabilities includes:<\/p><\/p>\n\n\n\n
Intercept SMS messages and forward them to a C2 server. This feature is used to get 2FA sent by the bank via SMS during the login phase or to confirm money transactions.<\/li>
Screen recording and casting capabilities allow the malware to capture any sensitive information displayed on the screen. This includes audio, passwords, payment information, photo, and messages. Through the Accessibility Service, the malware clicks the \u201cstart now\u201d button (of the popup) automatically, so the victim is not able to deny the recording\/casting of the owned device.<\/li>
Remove itself from the compromised device to reduce detection.<\/li>
Uninstall specific applications (e.g., antivirus).<\/li>
Hide its own icon app to be less traceable by not advanced users.<\/li>
Disable Google Play Protect to avoid being flagged by Google as a suspicious app.<\/li>
Modify the device settings to get more privileges.<\/li>
Unlock the device if it is locked with a secret pin or pattern.<\/li>
Display the phishing page.<\/li>
Abuse the accessibility service to read everything that is shown on the screen of the infected device or to simulate clicks (taps) on the screen. This information is then sent to the C2 server of the attackers.<\/li><\/ul>\n\n\n\n
The actors abuse these permissions to access the victim\u2019s bank account, retrieve the 2FA code, and eventually perform fraudulent transactions. The mule accounts used as intermediary points in this campaign are based in Italy, Lithuania, and the Netherlands.<\/p><\/p>\n\n\n\n
Stay Secure<\/strong>!!<\/h4>\n\n\n\n
As this is a mobile campaign, desktop users are excluded from infections to narrow the targeting scope to prospective victims. If you try to open the link contained in the SMS on a PC or laptop, the website won\u2019t be viewable. That\u2019s a simple checking method to confirm the validity of incoming messages.<\/p><\/p>\n\n\n\n
Secondly, no bank ever suggests installing any app other than the official e-banking app, which is found on the Play Store\/App Store and linked to the bank\u2019s official website. Finally, whenever you install an app, pay attention to the type of permission requested and consider its relevance to the app\u2019s functionality. Do not install the app if an app is requesting too many permissions unrelated to its functionality.<\/p><\/p>\n","protected":false},"excerpt":{"rendered":"
The BRATA Android remote access trojan (RAT) has been spotted in Italy, with threat actors calling victims of SMS attacks to steal their online banking credentials. The variant currently in circulation is new, and according to a report by researchers at Xiarch, it can pass undetected by the vast majority of AV scanners. BRATA was […]<\/p>\n","protected":false},"author":2,"featured_media":3989,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[6],"tags":[],"yoast_head":"\n
Unauthorized Support Agents Call Victims to Install Android Banking Trojan - Xiarch Solutions Private Limited<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/xiarch.com\/blog\/unauthorized-support-agents-call-victims-to-install-android-banking-trojan\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Unauthorized Support Agents Call Victims to Install Android Banking Trojan - Xiarch Solutions Private Limited\" \/>\n<meta property=\"og:description\" content=\"The BRATA Android remote access trojan (RAT) has been spotted in Italy, with threat actors calling victims of SMS attacks to steal their online banking credentials. The variant currently in circulation is new, and according to a report by researchers at Xiarch, it can pass undetected by the vast majority of AV scanners. BRATA was […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/xiarch.com\/blog\/unauthorized-support-agents-call-victims-to-install-android-banking-trojan\/\" \/>\n<meta property=\"og:site_name\" content=\"Xiarch Solutions Private Limited\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/xiarch\/\" \/>\n<meta property=\"article:published_time\" content=\"2021-12-04T13:33:56+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2021-12-04T13:33:58+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/12\/Unauthorized-Support-Agents-Call-Victims-to-Install-Android-Banking-Trojan-featured-image.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1000\" \/>\n\t<meta property=\"og:image:height\" content=\"525\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Xiarch Security\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@xiarch\" \/>\n<meta name=\"twitter:site\" content=\"@xiarch\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Xiarch Security\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/xiarch.com\/blog\/unauthorized-support-agents-call-victims-to-install-android-banking-trojan\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/xiarch.com\/blog\/unauthorized-support-agents-call-victims-to-install-android-banking-trojan\/\"},\"author\":{\"name\":\"Xiarch Security\",\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/person\/655d814a04eacce56942270cfdc5c59c\"},\"headline\":\"Unauthorized Support Agents Call Victims to Install Android Banking Trojan\",\"datePublished\":\"2021-12-04T13:33:56+00:00\",\"dateModified\":\"2021-12-04T13:33:58+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/xiarch.com\/blog\/unauthorized-support-agents-call-victims-to-install-android-banking-trojan\/\"},\"wordCount\":679,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/xiarch.com\/blog\/#organization\"},\"articleSection\":[\"Vulnerabilities\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/xiarch.com\/blog\/unauthorized-support-agents-call-victims-to-install-android-banking-trojan\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/xiarch.com\/blog\/unauthorized-support-agents-call-victims-to-install-android-banking-trojan\/\",\"url\":\"https:\/\/xiarch.com\/blog\/unauthorized-support-agents-call-victims-to-install-android-banking-trojan\/\",\"name\":\"Unauthorized Support Agents Call Victims to Install Android Banking Trojan - Xiarch Solutions Private Limited\",\"isPartOf\":{\"@id\":\"https:\/\/xiarch.com\/blog\/#website\"},\"datePublished\":\"2021-12-04T13:33:56+00:00\",\"dateModified\":\"2021-12-04T13:33:58+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/xiarch.com\/blog\/unauthorized-support-agents-call-victims-to-install-android-banking-trojan\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/xiarch.com\/blog\/unauthorized-support-agents-call-victims-to-install-android-banking-trojan\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/xiarch.com\/blog\/unauthorized-support-agents-call-victims-to-install-android-banking-trojan\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/xiarch.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Unauthorized Support Agents Call Victims to Install Android Banking Trojan\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/xiarch.com\/blog\/#website\",\"url\":\"https:\/\/xiarch.com\/blog\/\",\"name\":\"Xiarch Solutions Private Limited\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\/\/xiarch.com\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/xiarch.com\/blog\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/xiarch.com\/blog\/#organization\",\"name\":\"Xiarch\",\"url\":\"https:\/\/xiarch.com\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/06\/xi-logo-002.png\",\"contentUrl\":\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/06\/xi-logo-002.png\",\"width\":300,\"height\":300,\"caption\":\"Xiarch\"},\"image\":{\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/xiarch\/\",\"https:\/\/twitter.com\/xiarch\",\"https:\/\/www.linkedin.com\/company\/xiarch\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/person\/655d814a04eacce56942270cfdc5c59c\",\"name\":\"Xiarch Security\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/d33699ed91b76568586dc1ae278ea568?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/d33699ed91b76568586dc1ae278ea568?s=96&d=mm&r=g\",\"caption\":\"Xiarch Security\"},\"sameAs\":[\"https:\/\/xiarch.com\/blog\/\"],\"url\":\"https:\/\/xiarch.com\/blog\/author\/vector\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Unauthorized Support Agents Call Victims to Install Android Banking Trojan - Xiarch Solutions Private Limited","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/xiarch.com\/blog\/unauthorized-support-agents-call-victims-to-install-android-banking-trojan\/","og_locale":"en_US","og_type":"article","og_title":"Unauthorized Support Agents Call Victims to Install Android Banking Trojan - Xiarch Solutions Private Limited","og_description":"The BRATA Android remote access trojan (RAT) has been spotted in Italy, with threat actors calling victims of SMS attacks to steal their online banking credentials. The variant currently in circulation is new, and according to a report by researchers at Xiarch, it can pass undetected by the vast majority of AV scanners. BRATA was […]","og_url":"https:\/\/xiarch.com\/blog\/unauthorized-support-agents-call-victims-to-install-android-banking-trojan\/","og_site_name":"Xiarch Solutions Private Limited","article_publisher":"https:\/\/www.facebook.com\/xiarch\/","article_published_time":"2021-12-04T13:33:56+00:00","article_modified_time":"2021-12-04T13:33:58+00:00","og_image":[{"width":1000,"height":525,"url":"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/12\/Unauthorized-Support-Agents-Call-Victims-to-Install-Android-Banking-Trojan-featured-image.jpg","type":"image\/jpeg"}],"author":"Xiarch Security","twitter_card":"summary_large_image","twitter_creator":"@xiarch","twitter_site":"@xiarch","twitter_misc":{"Written by":"Xiarch Security","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/xiarch.com\/blog\/unauthorized-support-agents-call-victims-to-install-android-banking-trojan\/#article","isPartOf":{"@id":"https:\/\/xiarch.com\/blog\/unauthorized-support-agents-call-victims-to-install-android-banking-trojan\/"},"author":{"name":"Xiarch Security","@id":"https:\/\/xiarch.com\/blog\/#\/schema\/person\/655d814a04eacce56942270cfdc5c59c"},"headline":"Unauthorized Support Agents Call Victims to Install Android Banking Trojan","datePublished":"2021-12-04T13:33:56+00:00","dateModified":"2021-12-04T13:33:58+00:00","mainEntityOfPage":{"@id":"https:\/\/xiarch.com\/blog\/unauthorized-support-agents-call-victims-to-install-android-banking-trojan\/"},"wordCount":679,"commentCount":0,"publisher":{"@id":"https:\/\/xiarch.com\/blog\/#organization"},"articleSection":["Vulnerabilities"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/xiarch.com\/blog\/unauthorized-support-agents-call-victims-to-install-android-banking-trojan\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/xiarch.com\/blog\/unauthorized-support-agents-call-victims-to-install-android-banking-trojan\/","url":"https:\/\/xiarch.com\/blog\/unauthorized-support-agents-call-victims-to-install-android-banking-trojan\/","name":"Unauthorized Support Agents Call Victims to Install Android Banking Trojan - Xiarch Solutions Private Limited","isPartOf":{"@id":"https:\/\/xiarch.com\/blog\/#website"},"datePublished":"2021-12-04T13:33:56+00:00","dateModified":"2021-12-04T13:33:58+00:00","breadcrumb":{"@id":"https:\/\/xiarch.com\/blog\/unauthorized-support-agents-call-victims-to-install-android-banking-trojan\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/xiarch.com\/blog\/unauthorized-support-agents-call-victims-to-install-android-banking-trojan\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/xiarch.com\/blog\/unauthorized-support-agents-call-victims-to-install-android-banking-trojan\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/xiarch.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Unauthorized Support Agents Call Victims to Install Android Banking Trojan"}]},{"@type":"WebSite","@id":"https:\/\/xiarch.com\/blog\/#website","url":"https:\/\/xiarch.com\/blog\/","name":"Xiarch Solutions Private Limited","description":"","publisher":{"@id":"https:\/\/xiarch.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/xiarch.com\/blog\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/xiarch.com\/blog\/#organization","name":"Xiarch","url":"https:\/\/xiarch.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/xiarch.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/06\/xi-logo-002.png","contentUrl":"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/06\/xi-logo-002.png","width":300,"height":300,"caption":"Xiarch"},"image":{"@id":"https:\/\/xiarch.com\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/xiarch\/","https:\/\/twitter.com\/xiarch","https:\/\/www.linkedin.com\/company\/xiarch"]},{"@type":"Person","@id":"https:\/\/xiarch.com\/blog\/#\/schema\/person\/655d814a04eacce56942270cfdc5c59c","name":"Xiarch Security","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/xiarch.com\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/d33699ed91b76568586dc1ae278ea568?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/d33699ed91b76568586dc1ae278ea568?s=96&d=mm&r=g","caption":"Xiarch Security"},"sameAs":["https:\/\/xiarch.com\/blog\/"],"url":"https:\/\/xiarch.com\/blog\/author\/vector\/"}]}},"_links":{"self":[{"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/posts\/3986"}],"collection":[{"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/comments?post=3986"}],"version-history":[{"count":1,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/posts\/3986\/revisions"}],"predecessor-version":[{"id":3993,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/posts\/3986\/revisions\/3993"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/media\/3989"}],"wp:attachment":[{"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/media?parent=3986"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/categories?post=3986"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/tags?post=3986"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
![\"Unauthorized-Support-Agents-Call-Victims-to-Install-Android-Banking-Trojan-image1\"](\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/12\/Unauthorized-Support-Agents-Call-Victims-to-Install-Android-Banking-Trojan-image1-1-784x1024.png\")
<\/figure><\/div>\n\n\n\n![\"Unauthorized-Support-Agents-Call-Victims-to-Install-Android-Banking-Trojan-image2\"](\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/12\/Unauthorized-Support-Agents-Call-Victims-to-Install-Android-Banking-Trojan-image2-1024x587.png\")
<\/figure><\/div>\n\n\n\n