{
	"id": "19b88a3f-4a36-4537-8e2c-ecda9f332252",
	"created_at": "2026-04-06T00:18:06.23288Z",
	"updated_at": "2026-04-10T03:19:55.834768Z",
	"deleted_at": null,
	"sha1_hash": "2940294ef8674ff260e626de63d03e0ad7a7b18b",
	"title": "BRATA is evolving into an Advanced Persistent Threat",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 9503588,
	"plain_text": "BRATA is evolving into an Advanced Persistent Threat\r\nBy Francesco Iubatti, Alessandro Strino\r\nArchived: 2026-04-05 17:20:24 UTC\r\nIntroduction\r\nHere we go with another episode about our (not so) old friend, BRATA. In almost one year, threat actors (TAs)\r\nhave further improved the capabilities of this malware. In our previous blog post [1] we defined three main\r\nBRATA variants, which appeared during two different waves detected by our telemetries at the very end of 2021.\r\nHowever, during the last months we have observed a change in the attack pattern commonly used.\r\nIn fact, the modus operandi now fits into an Advanced Persistent Threat (APT) activity pattern. This term is used\r\nto describe an attack campaign in which criminals establish a long-term presence on a targeted network to steal\r\nsensitive information.\r\nThreat Actors behind BRATA, now target a specific financial institution at a time, and change their focus only\r\nonce the targeted victim starts to implement consistent countermeasures against them. Then, they move away from\r\nthe spotlight, to come out with a different target and strategies of infections. At first glance, it seems to be a good\r\nstrategy with a relevant pay off. However, it’s important to point out also the struggles and the plan needed to\r\napply this pattern.\r\nAs we highlighted through our metrics, when a new release comes out there are also new features that make it\r\nmore dangerous. During the last months, a new BRATA.A variant has been spotted in EU territory posing as\r\nspecific bank applications, including some internal changes, such as:\r\nA new phishing technique that is in charge of mimicking a login page of the targeted bank;\r\nBrand new classes in charge to acquire GPS, overlay, SMS and device management permissions;\r\nSideloading a piece of code (second stage) downloaded from its C2 to perform Event Logging.\r\nIn this article, we give an overview of these  new features in order to figure out their purposes and forecast new\r\nevolutions.\r\nFigure 1 – BRATA activities during 2021/2022\r\n[1] https://www.cleafy.com/labs\r\nhttps://www.cleafy.com/cleafy-labs/brata-is-evolving-into-an-advanced-persistent-threat\r\nPage 1 of 10\n\n[2] https://www.cleafy.com/cleafy-labs/how-brata-is-monitoring-your-bank-account\r\n[3] https://www.cleafy.com/cleafy-labs/mobile-banking-fraud-brata-strikes-again\r\nBRATA updates\r\nAs we already mentioned in the previous paragraph, TAs are modifying their code in order to tailor their malware\r\non specific banking institutions. This code refractory is actually doing small changes compared to old versions of\r\nBRATA, as there are a bunch of classes that have been added for very specific purposes.\r\nNevertheless, before proceeding with a deep dive into BRATA’s features, in Figure 2 we have highlighted all new\r\nfunctions that we observed in the last month. Most of them are very specific and their purpose is crystal clear.\r\nhttps://www.cleafy.com/cleafy-labs/brata-is-evolving-into-an-advanced-persistent-threat\r\nPage 2 of 10\n\nFigure 2 – Differences between BRATA variants\r\nSpeaking about examples, we could observe a login class that disguises a classic login page in order to harvest\r\ncredentials from unaware users, as well as classes like startactdevmang, startactgpper, startactoverlay and\r\nhttps://www.cleafy.com/cleafy-labs/brata-is-evolving-into-an-advanced-persistent-threat\r\nPage 3 of 10\n\nstartsmspermnew have been introduced to request additional permissions for later fraud phases (e.g., device\r\nadministration, gps, overlay, SMS, etc. ).\r\nCredential Harvesting Attack\r\nInvestigation on this sample has led our researchers to discover that BRATA has been equipped with a phishing\r\npage that recreates a login page of a famous Italian bank. In this way, TAs are trying to steal sensitive information\r\nfrom their victims to perform some sort of social engineering in a later stage of the fraud. As shown in Figure 3,\r\nthe victim is lured to type Numero Cliente and PIN. This information is the foundation of the authentication\r\nprocess commonly used by banks.\r\nFigure 3 - BRATA phishing page\r\nIt’s worth mentioning that, at the time of writing, this information seems to be under development. This hypothesis\r\nis supported by the fact that there is no data exchange between the victim device and the TA infrastructure.\r\nMoreover, log information and local databases did not show evidence that these information are stored somewhere\r\non the device. Another technique is related to the usage of screen recording functionality that could avoid storing\r\nhttps://www.cleafy.com/cleafy-labs/brata-is-evolving-into-an-advanced-persistent-threat\r\nPage 4 of 10\n\nthis information, however, adopting this strategy requires additional alerting mechanisms in order to properly see\r\nall codes typed.\r\nFurthermore, the current version of BRATA has introduced two new permissions inside the AndroidManifest file,\r\nthe RECEIVE_SMS and SEND_SMS. The combination of the phishing page with the possibility to receive and\r\nread the victim’s sms could be used to perform a complete Account Takeover (ATO) attack.\r\nFigure 4 – Function used to create the phishing page\r\nExternal Payload - Event logging\r\nAs we already mentioned above, after being correctly installed on the victim’s phone, this BRATA version is\r\ngoing to download a .zip file from its C2. This file contains a jar file named unrar.jar.\r\nFigure 5 – BRATA external payload\r\nFrom the information retrieved, this plugin seems to be in charge of monitoring events that are generated from\r\napplications. More specifically, each time there is a change in a text view, it stores within a local database a pair of\r\nEvent Text and a Date when the event occurred.\r\nhttps://www.cleafy.com/cleafy-labs/brata-is-evolving-into-an-advanced-persistent-threat\r\nPage 5 of 10\n\nFigure 6 – BRATA keylogger function\r\nAt the time of writing, this feature seems to be under development too. However, our hypothesis is that TAs are\r\ntrying to extend the functionality of the malware to get data from other applications, abusing the Accessibility\r\nService.\r\nSMS Stealer\r\nDuring our analysis of the last BRATA campaign, we found a suspicious app connected to the same BRATA C2\r\ninfrastructure.\r\nFigure 7 – Low detection of the SMS stealer app\r\nFigure 8 – Permissions declared inside the AndroidManifest file\r\nhttps://www.cleafy.com/cleafy-labs/brata-is-evolving-into-an-advanced-persistent-threat\r\nPage 6 of 10\n\nAnalyzing the suspicious app, we observed that the developer(s) of the app used the same framework used in\r\nBRATA malware and also the same names for different classes (Figure 9).\r\nThanks to a deeper analysis, it is possible to say that the TAs have used some portions of BRATA code’s to create\r\nthis new malicious app. Our hypothesis is that TAs are trying to develop new types of malware or they are just\r\nmaking some simple experiments to create new types of attacks, like contacts harvesting or SMS sniffers in order\r\nto stay undetected.\r\nFigure 9 – Names similarities between BRATA and the SMS stealer\r\nhttps://www.cleafy.com/cleafy-labs/brata-is-evolving-into-an-advanced-persistent-threat\r\nPage 7 of 10\n\nFigure 10 – Code similarities between BRATA and SMS stealer\r\nThe malicious app seems to target three different countries: Great Britain, Italy and Spain. During the installation\r\nphases, in fact, it requires you to choose the language of the app.\r\nFigure 11 – SMS stealer targeted countries\r\nOnce installed, the pattern of the attack is similar to other SMS stealers. This consists in the malicious app asking\r\nthe user to change the default messaging app with the malicious one to intercept all incoming messages, typically\r\nused by banks in PSD2 area for sending authorization codes (2FA/OTP).\r\nhttps://www.cleafy.com/cleafy-labs/brata-is-evolving-into-an-advanced-persistent-threat\r\nPage 8 of 10\n\nFigure 12 - factory reset command sent\r\nThe similarities between the SMS stealer and BRATA can be found in the network communication since both use\r\nthe following two different ports and the endpoint \"/rdc\":\r\nPort 19999: used to notify to the C2 that the malicious app was installed on the victim device\r\nPort 18888: used to send SMS intercepted to the C2\r\nhttps://www.cleafy.com/cleafy-labs/brata-is-evolving-into-an-advanced-persistent-threat\r\nPage 9 of 10\n\nFigure 13 – Address and ports used to communicate with C2\r\nFinal Considerations\r\nStarting from June 2021, when we first intercepted the BRATA campaigns in Italy, we observed an uninterrupted\r\nevolution of both the malware and the attack methodologies used by the TAs. The first campaigns of malware\r\nwere distributed through fake antivirus or other common apps, while during the campaigns the malware is taking\r\nthe turn of an APT attack against the customer of a specific Italian bank.\r\nThe latter trend, the so-called “Advanced Persistent Threat”, seems to be the attack pattern that TAs are going to\r\nuse in the coming year.. They usually focus on delivering malicious applications targeted to a specific bank for a\r\ncouple of months, and  then moving to another target.\r\nAppendix 1: IOCs\r\nIoC Description\r\n1ae5fcbbd3d0e13192600ef05ba5640d BRATA\r\n69d3ce972e66635b238dc17e632474ec SMS stealer\r\n51[.]83[.]251[.]214 C2 server used by BRATA and the SMS stealer\r\n51[.]83[.]225[.]224 Other BRATA C2 server\r\nSource: https://www.cleafy.com/cleafy-labs/brata-is-evolving-into-an-advanced-persistent-threat\r\nhttps://www.cleafy.com/cleafy-labs/brata-is-evolving-into-an-advanced-persistent-threat\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://www.cleafy.com/cleafy-labs/brata-is-evolving-into-an-advanced-persistent-threat"
	],
	"report_names": [
		"brata-is-evolving-into-an-advanced-persistent-threat"
	],
	"threat_actors": [],
	"ts_created_at": 1775434686,
	"ts_updated_at": 1775791195,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2940294ef8674ff260e626de63d03e0ad7a7b18b.pdf",
		"text": "https://archive.orkl.eu/2940294ef8674ff260e626de63d03e0ad7a7b18b.txt",
		"img": "https://archive.orkl.eu/2940294ef8674ff260e626de63d03e0ad7a7b18b.jpg"
	}
}