Kaspersky: Cybercrime is using BRATA RAT to spy mobile users in Brazil. It spreads via WhatsApp and SMS messages, or a fake WhatsApp update in Android App stores
It’s dubbed BRATA and is a remote access tool (RAT) spreading via WhatsApp and SMS messages to infect and spy on Brazilian Android users. It has been discovered by Kaspersky cyber security experts. Until now, the researchers have discovered more than 20 unique malware variants in apps delivered via the Google Play Store, with some also having been found on unofficial app stores. Cybercrime have been using several infection vectors, including push notifications sent via compromised websites, as well as messages delivered via WhatsApp or SMS, and sponsored links in Google searches. However, the vast majority of the variants spotted in the wild were camouflaged as updates for WhatsApp. After being downloaded and executed, the fake updates would exploit the cross-platform messaging and Voice over IP (VoIP) service CVE-2019-3568 vulnerability to infect the mobile devices of the targeted users.
The malware capabilities according the cyber security experts
According to the cyber security experts, BRATA targeted exclusively victims in Brazil. However, cybercrime could use it to attack any other Android user. It has been widespread since January 2019, but for the malware to function correctly, it requires at least Android Lollipop 5.0 version. The RAT, once installed, can perform some commands: capture and send user’s screen output in real-time; turn off the screen or give the user the impression that the screen is off, while performing actions in the background. It also retrieves system information, logged user and their registered Google accounts; it unlock the device or perform a remote unlock; launch any application installed with a set of parameters sent via a JSON data file, and send a string of text to input data in textboxes.