The security company Cleafy has analyzed three new variants of the remote access Trojan BRATA. The researchers suspect that the BRATA authors use a factory reset to prevent their victims from detecting an unauthorized transfer attempt and reporting the scam.
BRATA was originally a spyware but was later upgraded to a banking Trojan. Discovered by Kaspersky researchers in 2019, it was initially targeted at users in Brazil. Since then, the Trojan has expanded its reach to US and Spanish banks, according to McAfee.
Factory reset acts as a kill switch that is executed after a successful illegal transfer or upon analysis by installed security software. “It appears that the backers are using this feature to remove any traces immediately after an unauthorized transfer attempt,” Cleafy said. “In this way, the victim loses even more time before realizing that a malicious action has taken place.”
Factory reset is achieved by BRATA impersonating a legitimate security app and prompting the victim to give it the– Grant “Device Management” permission. It allows the app to wipe all data, change screen lock and set password rules.
According to Cleafy, BRATA is distributed via SMS masquerading as a bank and containing a link to a website where the victim is tricked into downloading an anti-spam app. The scammers then call the victim and trick them into installing the banking Trojan app, which the attackers can then use to intercept the second-factor authentication codes sent by the bank to authorize fraudulent transactions.