A new set of malicious Android apps have been caught posing as app security scanners on the official Play Store to distribute a backdoor capable of gathering sensitive information.
“These malicious apps urge users to update Chrome, WhatsApp, or a PDF reader, yet instead of updating the app in question, they take full control of the device by abusing accessibility services,” cybersecurity firm McAfee said in an analysis published on Monday.
The apps in question were designed to target users in Brazil, Spain, and the U.S., with most of them accruing anywhere between 1,000 to 5,000 installs. Another app named DefenseScreen racked up 10,000 installs before it was removed from the Play Store last year.
First documented by Kaspersky in August 2019, BRATA (short for “Brazilian Remote Access Tool Android”) emerged as a Brazilian malware with screen recording abilities before steadily morphing into a banking trojan.
“It combines full device control capabilities with the ability to display phishing webpages that steal banking credentials in addition to abilities that allow it capture screen lock credentials (PIN, Password or Pattern), capture keystrokes (keylogger functionality), and record the screen of the infected device to monitor a user’s actions without their consent,” McAfee researchers Fernando Ruiz and Carlos Castillo said.
The apps that distribute the backdoor alert unsuspecting users of a security issue on their devices, prompting them to install a fake update of a specific app (e.g., Google Chrome, WhatsApp, and a non-existent PDF reader app) to address the problem.
Once the victim agrees to install the app, BRATA requests permissions to access the device’s accessibility service, abusing it to capture lock screen PIN (or password/pattern), record keystrokes, take screenshots, and even disable the Google Play Store.
By disabling the Play Store app, the idea is also to disable Play Protect, a feature that preemptively runs a safety check on apps before they are downloaded from the app store, and routinely scans Android devices for potentially harmful apps and removes them.
Interestingly, new versions of BRATA also come equipped with added obfuscation and encryption layers, besides moving most of the core functionality to a remote attacker-controlled server, in turn allowing the attackers to easily update the malware and exploit the devices they were installed on while staying under the radar.
“BRATA is just another example of howpowerful the (ab)use of accessibilityservices is and how, with just a little bit of social engineering and persistence, cybercriminals can trick users into granting this access to a malicious app and basically getting total control of the infected device,” the researchers concluded.
“By stealing the PIN, Password or Pattern, combined with the ability to record the screen, click on any button and intercept anything that is entered in an editable field, malware authors can virtually get any data they want, including banking credentials via phishing web pages or even directly from the apps themselves, while also hiding all these actions from the user.”