Threat actors were seen by researchers posing as a bank customer support service that call or text targets and instructing them to install a particular app that contains an Android banking malware remote access trojan (RAT) dubbed “BRATA malware.”
Researchers first spotted this campaign in Italy, where threat actors disseminate SMS spams to steal e-banking credentials and information. According to them, this RAT variant circulating in Italy is relatively new, and it can avoid detection from most available anti-virus scanners.
The Android banking malware campaign starts with an unwanted email or text sent by the threat actors spoofing a bank customer service.
These emails or texts contain a malicious website embedded with a download button for an anti-spam application. However, this anti-spam application contains the BRATA malware, which unaware targets will potentially download. During the initial downloading step, the threat operators will call the target on the phone and impersonate an employee of a specific bank to help install the malicious app.
Moreover, the app will require the target to enable multiple permissions so the threat actors can fully control the infected device. When the target grants the permissions, the actors will obtain accessibility to multiple functions such as viewing and sending texts, executing calls, and activating screen recording.
Since this campaign exclusively targets mobile users in Italy, desktops are removed from devices infected by the Android banking malware. Experts also advise users to check the legitimacy of an application by checking its link or confirming it with the bank. Furthermore, no known bank will advise their clients to install an application from a third-party app store. These days, financial institutions, especially banks, have an official banking app ready to download in Google Play Store.
If you want to install a banking app, assess first the type of permission requested by the product and consider its use for mobile applications. Do not install any app if it asks for permissions irrelevant to its overall function.
