A new type of spy app is affecting Brazilian users. It goes through upgrading WhatsApp to install on the victim's mobile phone. When it starts working, it can send confidential information to criminals in real time, as well as allowing remote access to the device without the owner being able to see. The malware, called BRata, which was discovered this year and has already killed more than 20,000 victims, was announced on Wednesday (28) during the Kaspersky Latin American Security Conference in Argentina. In an interview with dnetc, Dmitry Bestuzhev, head of security and analysis team, explained how the malicious app works and how to protect itself.
Phishing: Know the scam that causes 90% of internet thefts
Malware BRata "a spy in your pocket," explains Dmitry Bestuzhev Photo: Nicolly Vimercate / dnetc
Want to buy a cell phone, TV and other discounted products? Meet the Compare dnetc
What BRata is different
The spy software was created in Brazil, is all in Portuguese and makes its victims in the country. So it was named BRata: Brazilian RAT, which stands for Remote Access Tool. Although it is a type of trojan (malware family that is well known to security researchers), it is a trojan that spies on your pocket, Dmitry explains.
This is not a classic banking trojan, which steals bank information. It also allows you to mirror the screen of the infected phone and has full spying capability of the handset. Not only about theft of credentials we're talking about, but about theft of any information available on the victim's cell phone, he points out.
In addition to the financial damage, are the privacy damages of users. Malicious apps like these are capable of reading and sending messages, accessing user location, viewing photos, reading the history of websites you've visited, enabling the device's camera and microphone, and entering even bank applications using login and the real password. In this scenario, we can say that BRata is very interesting, unique and also dangerous, warns Dmitry.
How the spy app works
In order to get users to download the app, criminals need to disguise it as attractive, such as a WhatsApp update and trick app stores. The first threat was detected by the Kaspersky team in January of this year, but the peak install took place in June, when WhatsApp warned its 1 billion users that there was a vulnerability in the app and that everyone should update urgently. A fake program was able to enter the Google Play Store with this façade and was downloaded over 10,000 times as soon as it was warned, Google took the app down. Not knowing the right way to upgrade WhatsApp, many users clicked on one of these BRatas. They thought they were protecting themselves, but they were bringing the enemy into the house.
Fake App WhatsApp Update on Play Store Photo: Divulgao / Kaspersky
Since malware is hosted on a mobile phone, everything a person does on the device can be seen by the criminal. When the bank app is open, for example, the bad guy can see everything being typed on the keyboard, such as the agency, account, and password numbers.
The information is sent to a program on the bandit's computer, which waits for the best time, and uses the victim's own smartphone to enter the app and make transactions even darkening the screen to hide his actions on the phone. As a result, the bank cannot detect fraud either, since the access was made from a legitimate device.
When the scam is over, the malicious application is uninstalled from the phone without the owner having to do anything. That is, when you realize that something wrong has happened to your bank account it is already too late.
Another feature of BRata, points out Dmitry, that he is not only used by a group, he is available for sale in the illegal market. With a few clicks, any malicious person can use mobile apps remotely. Anyone at all: The software can be purchased over the Internet for about $ 3,000. Those who pay this amount will have access to the program, technical support and more information.
Anncio on the Internet offers BRata malware for R $ 3 thousand Photo: Divulgao / Kaspersky
To date, 20 versions of the HEUR: Backdoor.AndroidOS.Brata malware have been identified by the all-Android security company, which represents 86% of mobile phones in Brazil, according to StatCounter. In addition to being hosted on Google Play, BRatas can be found at unofficial app stores. The attack can also come by other means: it can come by text messaging on WhatsApp or SMS or in notification form when the user enters a hacked site and receives a warning saying to install something.
In all three cases, Dmitry explains, we see one thing in common: social engineering. In this type of attack, what is exploited is not a system loophole itself, but the lack of information from people. If users know how these tricks work, surely they can better protect themselves by not clicking, closing the window, rejecting the message, and thinking twice about installing something just because it's in the Google app store, he points out.
Fake app asks permission to "Continue" even after saying installation is complete Photo: Nicolly Vimercate / dnetc
- Beware of the permissions In order for the malicious application to take control of the phone, the user must first accept the permissions required by the app, which can range from accessing the contacts directory to having administrator status of the device. Anyone who wants to avoid infection of the device should then carefully review all application demands and suspect if they are allowed to access any area that is not used for the operation of the app.
- Think before you click Unknown or suspicious URLs should be avoided even if the link was sent by a friend or family member. The same goes for notifications that pop up when you access websites and apps.
- Always be suspicious Although scams are becoming increasingly sophisticated, there is often evidence of farce. The BRata found by Kaspersky, for example, was available with the WhatsApp logo in blue and the name Whats App Update V2.0, in addition to being created by an unknown developer (JCLAlpp) – if it were the real app, it would have the seal. from Facebook, the company that owns the original messaging app.
Brazilian creative crime very creative, warns Dmitry. Unfortunately, BRata is the first of so many other attacks to come. The criminals are free, they will hardly be caught and will invent new versions of the coup, laments the expert.
* The journalist traveled to Argentina at Kaspersky's invitation
How to Remove Virus on an Android Phone