BRATA¶
BRATA (Brazilian Remote Access Tool Android) is the banking trojan best known for factory-resetting victim devices after completing fraudulent wire transfers, destroying forensic evidence in the process. Originally targeting Brazilian users when Kaspersky first documented it in 2019, BRATA later expanded to European banking customers with increasingly aggressive capabilities. Cleafy tracked its evolution through multiple variants and ultimately reclassified the operation as an Advanced Persistent Threat. ThreatFabric later clarified that what the industry labeled "BRATA" was actually three distinct families: the original BRATA, AmexTroll, and Copybara.
Overview¶
| Attribute | Details |
|---|---|
| First Seen | January 2019 |
| Last Seen | Mid-2022 (evolved into AmexTroll/Copybara) |
| Status | Original BRATA inactive; descendant families still active |
| Type | Banking trojan / RAT |
| Attribution | Unknown; Brazilian origin, later operations suggest possible Italian-speaking actors |
| Aliases | BRATA.A, BRATA.B, BRATA.C, AmexTroll |
| Development Tool | B4A (Basic4Android) framework |
Vendor Names¶
| Vendor | Name |
|---|---|
| Kaspersky | HEUR:Trojan-Banker.AndroidOS.Brata |
| ThreatFabric | BRATA / AmexTroll |
| McAfee | Android/Brata |
| ESET | Android/Spy.Brata |
| Cleafy | BRATA |
| Trend Micro | AndroidOS_Brata |
| Dr.Web | Android.BankBot.Brata |
| Malwarebytes | Android/Trojan.Spy.Brata |
| Symantec | Trojan.Gen.MBT |
Origin and Lineage¶
Kaspersky researchers discovered BRATA in early 2019, identifying over 20 variants hosted on the Google Play Store disguised as WhatsApp updates and other popular apps. The malware targeted exclusively Brazilian users at this stage, combining remote access capabilities with credential theft.
McAfee documented BRATA's expansion beyond Brazil, finding variants targeting the United States and Spain while continuing to sneak past Google Play's security checks by posing as app security scanners.
By late 2021, Cleafy identified three distinct BRATA variants (BRATA.A, BRATA.B, BRATA.C) targeting UK, Italian, and Spanish banks. The January 2022 update introducing the factory reset kill switch marked the peak of BRATA's aggressiveness. Cleafy later reclassified the operation as an APT, noting that the actors would focus on one financial institution at a time and pivot only when the target implemented effective countermeasures.
ThreatFabric's "tale of three families" analysis resolved the naming confusion by demonstrating that BRATA, AmexTroll, and Copybara are separate families despite being conflated by the broader security community. All three use the B4A (Basic4Android) development framework, which became free in February 2020, roughly coinciding with the appearance of the newer variants.
Distribution¶
BRATA's distribution methods evolved as the malware matured and expanded geographically.
| Vector | Details |
|---|---|
| Google Play | Original Brazilian campaigns used fake WhatsApp update and security scanner apps. McAfee found variants posing as app security scanners urging users to "update" Chrome, WhatsApp, or PDF readers. |
| WhatsApp messages | Lure messages distributed to Brazilian users via WhatsApp, exploiting CVE-2019-3568 as a lure theme |
| Smishing | SMS messages impersonating banks, containing links to fake download pages |
| Sponsored search results | Paid Google ads directing to BRATA download pages |
| Phishing sites | Spoofed banking portals that instruct victims to download a "security app" |
The European campaigns shifted to smishing and vishing as the primary delivery method. Victims received SMS appearing to originate from their bank, followed in some cases by a phone call from an operator impersonating bank support, who guided them through installing the malware.
Capabilities¶
BRATA's capabilities expanded substantially across its lifecycle, from a relatively simple RAT to a full banking fraud platform with evidence destruction.
Original (2019, Brazil-focused)¶
| Capability | Implementation |
|---|---|
| Screen capture | Real-time screen recording and streaming |
| Keylogging | Capture keystrokes via accessibility service |
| Remote interaction | Tap, swipe, and type on victim device remotely |
| App listing | Enumerate installed applications |
| Device unlock | Capture and replay PIN/pattern/password to unlock device |
| Phishing overlays | Display fake banking login pages over legitimate apps |
European Expansion (Late 2021)¶
Cleafy documented three variants with distinct targeting:
| Variant | Targets | Distinguishing Feature |
|---|---|---|
| BRATA.A | UK, Italy, Spain | GPS tracking, device admin abuse, full overlay injects |
| BRATA.B | Italy | Dedicated phishing page for one specific Italian bank |
| BRATA.C | Italy | Dropper-based delivery, installs secondary payload |
Kill Switch Update (January 2022)¶
Cleafy's analysis of the factory reset capability documented these additions:
| Capability | Implementation |
|---|---|
| Factory reset (kill switch) | Wipes device to factory defaults after successful wire transfer or when analysis is detected |
| GPS tracking | Continuous location monitoring of infected devices |
| HTTP/WebSocket C2 | WebSocket protocol added alongside HTTP for command delivery |
| Keylogging | Enhanced keystroke capture across all applications |
| SMS interception | Read and forward SMS for OTP capture |
| Device admin | Abuse BIND_DEVICE_ADMIN to prevent uninstallation and enable factory reset |
APT Phase (Mid-2022)¶
Cleafy's APT reclassification report noted behavioral shifts:
| Behavior | Details |
|---|---|
| Targeted focus | Attacks concentrated on one financial institution at a time |
| Adaptive pivoting | Shifted targets when banks deployed countermeasures |
| Infrastructure rotation | Frequent C2 domain changes |
| Improved evasion | Additional obfuscation and anti-analysis techniques |
Technical Details¶
Factory Reset as Evidence Destruction¶
The factory reset mechanism is BRATA's signature technique. The C2 sends a byebye_format command that triggers the device's built-in factory reset via device admin privileges. This fires in two scenarios:
- After a successful fraudulent wire transfer, to eliminate traces of the malware and the transaction
- When the malware detects it is running in a virtual environment or analysis sandbox
The victim loses all data on the device, making forensic recovery extremely difficult. From the attacker's perspective, this buys time before the fraud is discovered, as the victim must first deal with a wiped device before they can check their bank account.
Accessibility Abuse¶
BRATA uses the Android accessibility service for:
- Capturing screen content and keystrokes
- Auto-granting runtime permissions (SMS, phone, storage)
- Detecting foreground applications to trigger overlays
- Performing automated gestures for remote device control
- Preventing navigation to device settings for uninstallation
C2 Communication¶
Early BRATA variants used standard HTTP POST for C2 communication. The January 2022 update added WebSocket support:
| Protocol | Usage |
|---|---|
| HTTP POST | Registration, data exfiltration, inject retrieval |
| WebSocket | Real-time command delivery for interactive sessions |
Key C2 commands:
| Command | Action |
|---|---|
screen_capture |
Capture and stream device screen |
byebye_format |
Factory reset the device |
whoami |
Retrieve device information and state |
sentSMS |
Send SMS from victim device |
getContacts |
Exfiltrate contact list |
startApp |
Launch specified application |
B4A Framework¶
BRATA and its related families (AmexTroll, Copybara) are built using Basic4Android (B4A), a rapid Android development framework based on a BASIC-like language. B4A generates standard APKs but produces a distinctive code structure that is identifiable during static analysis. The framework became free in February 2020, lowering the barrier for adoption.
Anti-Analysis¶
| Technique | Method |
|---|---|
| String obfuscation | Encrypted strings resolved at runtime |
| Emulator detection | Checks build properties and hardware characteristics |
| Country/language check | Verifies device locale matches target region, refuses to run otherwise |
| Commercial packer | Later variants wrapped in commercial packing solutions |
| Factory reset on detection | Wipes device if sandbox/analysis environment is detected |
Target Regions and Financial Institutions¶
BRATA's geographic scope expanded dramatically from its Brazilian origins.
| Phase | Regions | Targets |
|---|---|---|
| 2019 (Original) | Brazil | Brazilian banking apps, primarily via Google Play lures |
| 2020 (Expansion) | USA, Spain | Banking apps, delivered through Play Store security scanner fakes |
| Late 2021 (Europe) | UK, Italy, Spain | Major European banks, with Italy as primary focus |
| 2022 (APT phase) | Italy, Poland, Latin America | Concentrated single-institution targeting |
Italian banks were the heaviest targets during the European phase. BRATA.B was built specifically for a single Italian banking institution, demonstrating the level of targeting precision the operators achieved.
Notable Campaigns¶
January 2019: Kaspersky identified BRATA targeting Brazilian users via fake WhatsApp updates on Google Play, with over 20 variants discovered.
2020: McAfee reported BRATA variants on Google Play targeting US and Spanish users, disguised as app security scanners that urged victims to install fake updates for Chrome, WhatsApp, and PDF readers.
Late 2021: Cleafy detected three new BRATA variants (A, B, C) targeting European banking customers in the UK, Italy, and Spain, with new GPS tracking and overlay capabilities.
January 2022: Cleafy published the factory reset analysis, revealing the byebye_format kill switch that wipes devices after fraud completion. The finding attracted widespread media coverage as the first banking trojan to systematically destroy evidence on victim devices.
Mid-2022: Cleafy reclassified BRATA as an APT, noting the operators' shift to targeted single-institution attacks with infrastructure rotation and adaptive pivoting when countermeasures were deployed.
June 2022: ThreatFabric published "BRATA: a tale of three families", clarifying that the "BRATA" label covered three distinct families: the original BRATA, AmexTroll (which expanded to UK and Australian targets), and Copybara (which focused on Italian banks with MQTT-based C2). All three used the B4A development framework.