BRata looked like a WhatsApp update but was actually a malware (trojan) hosted on the Google Play Store. It received this name from Kaspersky researchers for being an Android RAT (Remote Administration Tool) and Brazilian (BR).
Part of a new trend observed by the Russian company, the “spy for the masses” was able, on an infected Android device, to allow real-time monitoring of the screen. That is, the tool mirrored the smartphone’s display to transmit all the victim’s activities to the attacker: a silent intruder.
Dmitry Bestuzhev, director of Kaspersky’s Latin American research team, and Santiago Pontiroli, security analyst for the same team, gave more details of what was an Android trojan whose main transmission medium was the official Google app store. First detected in January 2019, BRata was also found in alternative app stores for Android, as an .apk file.
There was a specific target in this campaign: Brazilians, Android users from Lollipop (5.0). Very specific infection vectors were used to take victims to the legitimate Google store page: push notifications on compromised websites, phishing messages on WhatsApp or SMS, sponsored links on Google searches (ads for search terms) and engineering Social.
In a second detection time, the malware was found again “disguised” as the fix for a real flaw used in attacks against WhatsApp (CVE-2019-3568) in June. In all, more than 20 variants of the attack were detected and this false correction, specifically, received more than ten thousand downloads on the Google Play Store, adding 550 victims per day in its total hits until it was discovered.
BRata in action
In addition to revealing what is happening on the screen of the infected cell phone, the malware can steal emails, messages exchanged in applications, the user’s location and navigation history, passwords and bank logins (via keylogger) and, in addition, activate the camera and the device’s microphone. Something similar to child surveillance apps, however, without the knowledge and authorization of the cell phone owner, in a premeditated invasion.
It’s not over yet, the malware is also able to remotely darken the screen to hide what the criminal is doing on the phone. All of this using the Android Accessibility Services feature to interact with other applications installed on the device. Two years ago, in 2017, the Google promised to charge developers a justification for using of the resource. Otherwise, it would block your approval.
Misuse of the accessibility API abuses access to truly useful features such as autocompleting, reusing login information between applications (managing passwords) and freely copying and pasting data on the Clipboard.
“The only strange thing that was different about the installation process is that BRata asked for permissions to use accessibility services. Only that, no more. The name of the app’s developer was also different, ”explains Pontiroli.
When being tricked, whoever downloaded the fake WhatsApp update saw the message: “Update applied successfully”. Developed by Brazilians with a focus on Brazilian online banking users, BRata is a great example of how espionage has become a type of attack that no longer targets very specific victims, but everyone.
An administration panel based on the data that the malware was able to capture was created, using reverse engineering, and demonstrated by the Kaspersky team.
“Since 2014 we have been seeing corporate espionage, but what we see now is an evolution of implants aimed at ordinary users”, analyzes Pontiroli.
Google, the cat and the mouse
After being discovered and reported to Google, this is the type of problem that can be solved in a few hours. At the center of the discussion is Google Bouncer, an automated system that searches for security and malware abnormalities in the Android store.
“To beat Google’s detection, criminals use some types of code protection. As the system [do Google] looks for standardized behaviors, in this case, it didn’t detect anything ”, says the analyst. Once the malware was detected by a company product, the information was shared in the cloud and analyzed.
Wanted by Tecnoblog, Google said that the Google Play Store currently has 2 billion apps for Android. The company says it does not comment on specific cases and that for a developer to request the inclusion of an app in the store, they need to follow Google’s policies. Otherwise, you can be punished for that.
“After submission for approval, every new application undergoes an evaluation that has a minimum term of 3 days. However, this time can vary due to several factors (…). During this period, the program goes through an analysis to check if it meets each specific requirement of our Unwanted Software Policy and, any program that violates and is potentially harmful to the user, is subject to the appropriate measures to guarantee security ”, informed the Google.
In addition to the pre-approval filter, Google also created a program that checks Android devices actively and automatically: o Google Play Protect. “Using this technology, we analyze about 50 billion applications a day, looking for threats. If any suspicious behavior is identified, the software is deleted from the store and the user is notified, ”said the search giant, in a statement.
It is a fact that the main target of BRata so far has been Brazil, but a stalking tool like this has the potential to attack Android users anywhere in the world. Bestuzhev reveals that kits for attackers are easily sold on the internet and that other criminals may use the same tools in the future in another country.
“Today, practically anyone has access to them, since the malware is commercialized in the illegal market for R $ 3 thousand”, he concludes. The specialist also says that the kits are also traded in exchange for services or other malware.
* The data is “Panorama of Cyber Threats in Latin America”Of 2019, from Kaspersky.
** The journalist traveled to Argentina at the invitation of the company.