Watch Out For This Android Malware That Factory Resets Your Phone After Stealing Your Money

Watch Out For This Android Malware That Factory Resets Your Phone After Stealing Your Money
Photo: Rafael Henrique/SOPA Images/LightRocket, Getty Images

Research published earlier this week shows that a nasty Android banking malware has evolved, bringing with it a number of alarming new features — including the ability to factory reset your device after stealing your money.

The malware in question is called BRATA, short for “Brazilian Remote Access Tool Android.” As you might expect from its name, it originally popped up in Brazil several years ago but has since spread to many other parts of the globe. Researchers with security firm Cleafy wrote this week that the newest version of the malware, first spotted in December, has a number of additional features that give criminals an even better vantage point over their victims than previous iterations.

Technically, BRATA is a banking trojan, meaning that it is designed to steal money from banking apps or other financial services. It’s also a RAT (remote access tool), which is a generic term for a program that can remotely deploy code on a device. RATs are commonly used by criminals to spread malware.

BRATA developers are known to use fake, trojanized apps to infiltrate victims’ phones. Such apps can be trafficked onto Google Play or other legitimate sites, where they then ensnare unsuspecting users. Once the apps are downloaded, they ask for intrusive permissions which allow the malware operators to gain intimate access to the user’s device.

Trojans frequently come with keyloggers and other spyware capabilities — and BRATA is no exception. Using the trojan, criminals will actually deploy fake login pages onto the user’s phone, which then allows them to harvest login credentials to e-banking accounts, researchers write.

The newest version now carries with it an added capability that allows hackers to erase any evidence of their misdeeds by factory resetting a device after pilfering its e-banking applications for cash. “This mechanism represents a kill switch for this malware,” researchers wrote, noting that the factory reset was frequently observed after a “bank fraud has been completed successfully.” In this fashion, the victim “is going to lose even more time before understanding that a malicious action happened,” they noted. In other words, the factory reset mechanism is designed to blindside the victim while the cybercriminals make off with their ill-gotten goods.

But the factory reset was also witnessed during times when BRATA’s trojan apps were installed in a virtual environment, according to researchers. This is interesting, because researchers will typically install malicious programs in virtual environments to study them safely. The thinking, then, is that BRATA’s developers may initiate the malware implosion to prevent analysis of the software’s code, thus keeping “white hat” hackers from reverse engineering its programming.

Earlier versions of BRATA have previously been witnessed in the U.S., and the newest version has recently been seen targeting banking institutions in the United Kingdom, Poland, and Italy, researchers wrote.

Given BRATA’s reliance on trojan apps, the best course of protective action is to vet every app you download — something you should definitely be doing anyway. In early 2021, it was reported that BRATA apps had been snuck onto the Google Play store, though they were subsequently removed. In general, you should stick with apps that are well-known and trusted, and avoid programs found on sketchy third-party sites, lest you end up with a phone full of malware.