A brand new set of malicious Android apps have been caught posing as app safety scanners on the official Play Retailer to distribute a backdoor able to gathering delicate data.
“These malicious apps urge customers to replace Chrome, WhatsApp, or a PDF reader, but as an alternative of updating the app in query, they take full management of the machine by abusing accessibility companies,” cybersecurity agency McAfee said in an evaluation printed on Monday.
The apps in query had been designed to focus on customers in Brazil, Spain, and the U.S., with most of them accruing wherever between 1,000 to five,000 installs. One other app named DefenseScreen racked up 10,000 installs earlier than it was faraway from the Play Retailer final 12 months.
First documented by Kaspersky in August 2019, BRATA (brief for “Brazilian Distant Entry Instrument Android”) emerged as an Android malware with display recording skills earlier than steadily morphing right into a banking trojan.
“It combines full machine management capabilities with the flexibility to show phishing webpages that steal banking credentials along with skills that permit it seize display lock credentials (PIN, Password or Sample), seize keystrokes (keylogger performance), and document the display of the contaminated machine to watch a person’s actions with out their consent,” McAfee researchers Fernando Ruiz and Carlos Castillo mentioned.
The apps that distribute the backdoor alert unsuspecting customers of a safety concern on their gadgets, prompting them to put in a pretend replace of a particular app (e.g., Google Chrome, WhatsApp, and a non-existent PDF reader app) to deal with the issue.
As soon as the sufferer agrees to put in the app, BRATA requests permissions to entry the machine’s accessibility service, abusing it to seize lock display PIN (or password/sample), document keystrokes, take screenshots, and even disable the Google Play Retailer.
By disabling the Play Retailer app, the thought can also be to disable Play Protect, a characteristic that preemptively runs a security verify on apps earlier than they’re downloaded from the app retailer, and routinely scans Android gadgets for doubtlessly dangerous apps and removes them.
Apparently, new variations of BRATA additionally come geared up with added obfuscation and encryption layers, apart from shifting a lot of the core performance to a distant attacker-controlled server, in flip permitting the attackers to simply replace the malware and exploit the gadgets they had been put in on whereas staying underneath the radar.
“BRATA is simply one other instance of how powerful the (ab)use of accessibility services is and the way, with just a bit little bit of social engineering and persistence, cybercriminals can trick customers into granting this entry to a malicious app and principally getting complete management of the contaminated machine,” the researchers concluded.
“By stealing the PIN, Password or Sample, mixed with the flexibility to document the display, click on on any button and intercept something that’s entered in an editable discipline, malware authors can just about get any information they need, together with banking credentials through phishing internet pages and even instantly from the apps themselves, whereas additionally hiding all these actions from the person.”