{
	"id": "dc3b7413-9e06-44b0-9110-5a8a2b45edf3",
	"created_at": "2026-04-06T00:10:34.641798Z",
	"updated_at": "2026-04-10T13:12:46.130901Z",
	"deleted_at": null,
	"sha1_hash": "388f0d251267a3bffce339baa05fc669831e9f53",
	"title": "How BRATA is monitoring your bank account",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 6693122,
	"plain_text": "How BRATA is monitoring your bank account\r\nBy Federico Valentini, Francesco Iubatti\r\nArchived: 2026-04-05 19:52:26 UTC\r\nIntroduction\r\nIn our previous article “Mobile banking fraud: BRATA strikes again” we’ve described how threat actors (TAs)\r\nleverage the Android banking trojan BRATA to perpetrate fraud via unauthorized wire transfers.\r\nIn this article, we are presenting further insights, on how BRATA is evolving in terms of both new targets and new\r\nfeatures, such as:\r\nCapability to perform the device factory reset: it appears that TAs are leveraging this feature to erase any\r\ntrace, right after an unauthorized wire transfer attempt.\r\nGPS tracking capability\r\nCapability to use multiple communication channels (HTTP and TCP) between the device and the C2\r\nserver to keep a persistent connection.\r\nCapability to continuously monitor the victim's bank application through VNC and keylogging\r\ntechniques.\r\nA new BRATA variant started circulating last December. Our research shows that it has been distributed through a\r\ndownloader to avoid being detected by antivirus solutions.\r\nThe target list now contains further banks and financial institutions in the UK (new), Poland (new), Italy, and\r\nLATAM.\r\nFigure 1 – The upward trend of BRATA during the last month\r\nEvolution of BRATA malware\r\nOur previous article analyzed multiple BRATA samples from different campaigns targeting customers of one of\r\nthe most prominent Italian retail banks. However, during the last months, our telemetry noticed two new waves of\r\nthe BRATA samples. The first wave started in November 2021, and the second around mid-December 2021.\r\nDuring the second wave, TAs began to deliver a few new tailored variants of BRATA in different countries, in\r\nhttps://www.cleafy.com/cleafy-labs/how-brata-is-monitoring-your-bank-account\r\nPage 1 of 11\n\nparticular against banking customers of the UK (NEW), Poland (NEW), Italy, and LATAM (but we also spotted\r\nsome samples containing Spanish and Chinese strings).\r\nFigure 2 – Some of the most common BRATA’s icon app\r\nFigure 3 – The main three variants of BRATA\r\nAt the time of writing, we intercepted the primary variants of BRATA (variant A, B, C), as shown in Figure 3.\r\nBRATA.A is the most used during the past months. During December, TAs added mainly two new features: the\r\nGPS tracking of the victim device, which appears to be still under development, and the capability to execute a\r\nfactory reset of the infected device, as described in the following chapters.\r\nBRATA.B has almost the same capabilities and features. However, the main differences found are the partial\r\nobfuscation of the code and the use of tailored overlay pages used to steal the security number (or PIN) of the\r\ntargeted banking application, as shown in Figure 4.\r\nFurthermore, in this variant, the HTTP communications between the malicious app and the C2 appear to be in\r\nclear text, while in BRATA.A were compressed with the zlib library.\r\nhttps://www.cleafy.com/cleafy-labs/how-brata-is-monitoring-your-bank-account\r\nPage 2 of 11\n\nFigure 4 - Example of BRATA overlay used to steal the security number of the victim\r\nBRATA.C is composed of an initial dropper used to download and execute the “real” malicious app later. As\r\nalready shown, TAs are continually modifying the malware to avoid being detected by antivirus solutions using\r\nunconventional techniques. Although the majority of Android banking trojans try to obfuscate/encrypt the\r\nmalware core in an external file (eg. .dex or .jar), BRATA uses a minimal app to download in a second step the\r\ncore BRATA app (.apk).\r\nhttps://www.cleafy.com/cleafy-labs/how-brata-is-monitoring-your-bank-account\r\nPage 3 of 11\n\nFigure 5 – The BRATA downloader is almost not detected by any antivirus solution\r\nFigure 6 – Permissions declared inside the AndroidManifest of the last variant of BRATA\r\nFigure 7 – Installation phases of the new variant of BRATA\r\nIn Figure 7, we summarize the installation phases of the BRATA.C. After the victim installs the downloader app,\r\nit requires accepting just one permission to download and install the malicious application from an untrusted\r\nsource. When the victim clicks on the install button, the downloader app sends a GET request to the C2 server to\r\ndownload the malicious .apk. At this point, the victim has two malicious apps installed on their device.\r\nBank Account Monitoring\r\nLike other leading Android banking trojans, BRATA has its own custom methods to monitor bank accounts and\r\nother victims’ actions performed on its mobile device. Through BRATA, TAs will obtain Accessibility Service\r\npermissions during the installation phases to observe the activity performed by the victim and/or use the VNC\r\nhttps://www.cleafy.com/cleafy-labs/how-brata-is-monitoring-your-bank-account\r\nPage 4 of 11\n\nmodule to retrieve private information shown in the device’s screen (e.g bank account balance, transaction history,\r\netc.).\r\nAs soon as TAs send the command “get_screen” from the C2 server, BRATA starts to take screenshots of the\r\nvictim’s device and send it back to the C2 server through the HTTP channel, as shown in Figure 9.\r\nFigure 8 – BRATA receives the “get_screen” from the C2 server\r\nFigure 9 – Example of screenshot sent to the C2 server\r\nAn additional functionality that was observed is keylogging. BRATA.B monitors all users’ keystrokes when\r\nvisiting the targeted bank application. Let’s consider a common scenario, like the one shown in Figure 10, where a\r\nvictim opens up his bank application and starts typing into the two visible fields, Agencia and Conta. If the\r\nkeylogging functionality is enabled, the two numbers provided by the victim will be sent to the C2 server for\r\nfurther processing.\r\nhttps://www.cleafy.com/cleafy-labs/how-brata-is-monitoring-your-bank-account\r\nPage 5 of 11\n\nFigure 10 – Hooking of cuenta and agencia fields of the targeted bank\r\nGPS Tracking\r\nBy analyzing the application’s manifest, it has been possible to discover the GPS permission that is intended to be\r\nused by the application. As far as we know, this feature is actually requested at installation; however, no evidence\r\nin the code is actually used. For this reason, we could just guess that malware developers are requesting this\r\npermission for future development, most likely to target people that belong to specific countries or to enable other\r\ncash-out mechanisms (e.g. cardless ATMs).\r\nIt's worth mentioning that a GPS signal could be easily disguised by third party applications and, because of that,\r\nit is possible that the development phase has been currently stopped.\r\nhttps://www.cleafy.com/cleafy-labs/how-brata-is-monitoring-your-bank-account\r\nPage 6 of 11\n\nFigure 11 – GPS permission requests by BRATA\r\nFactory Reset\r\nAccording to the analysis performed on new BRATA samples, it was found that a factory reset feature has been\r\nimplemented. More precisely, according to the information retrieved, this mechanism represents a kill switch for\r\nthis malware. In fact, it was also observed that this function is executed in two cases:\r\nhttps://www.cleafy.com/cleafy-labs/how-brata-is-monitoring-your-bank-account\r\nPage 7 of 11\n\nA bank fraud has been completed successfully. In this way, the victim is going to lose even more time\r\nbefore understanding that a malicious action happened.\r\nThe application is installed in a virtual environment. BRATA tries to prevent dynamic analysis through the\r\nexecution of this feature.\r\nThese statements are confirmed from the keyword SendMsg_formatdevice within the eventname structure, which\r\nis actually used each time an action is performed.\r\nFigure 12 – List of commands used by a new sample of BRATA\r\n_wsh_formatthisdevice is the function in charge of performing the mobile phone reset. As shown in Figure 13, it is\r\na standard procedure that checks if the admin manager variable is set, then initializes the reflection class and\r\nretrieves the Device Manager (dm) to run the wipeData[1] method.\r\nFigure 13 – Factory reset function\r\nhttps://www.cleafy.com/cleafy-labs/how-brata-is-monitoring-your-bank-account\r\nPage 8 of 11\n\nFigure 14 – “device admin” permission requested by BRATA\r\n[1] https://developer.android.com/reference/android/app/admin/DevicePolicyManager\r\nCommunication Channels\r\nIt has been observed that BRATA and its C2 are using multiple channels to communicate with each other. More\r\nspecifically, the first communications are made by the application towards the C2 through the HTTP protocol, and\r\nthen, if the server is online, it is forced to switch the connection towards the WebSocket protocol (Figure 15).  \r\nDuring these HTTP exchanges, BRATA verifies and removes any antivirus apps installed on the infected device\r\n(Figure 16) and subsequently receives its configuration file from the C2 server.\r\nhttps://www.cleafy.com/cleafy-labs/how-brata-is-monitoring-your-bank-account\r\nPage 9 of 11\n\nFigure 15 – Starting communication\r\nFigure 16 – List of antivirus app that BRATA is able to remove\r\nThis switch of channels could be justified by the fact that WebSocket is an event-driven protocol, which means\r\nthat it is suitable for real time communication. Moreover:\r\nWebSockets keeps a single, persistent connection open while eliminating latency problems that arise with\r\nHTTP request/response-based methods.\r\nWebSockets generally do not use XMLHttpRequest, and as such, headers are not sent every-time we need\r\nto get more information from the server. This, in turn, reduces the expensive data loads being sent to the\r\nserver.\r\nhttps://www.cleafy.com/cleafy-labs/how-brata-is-monitoring-your-bank-account\r\nPage 10 of 11\n\nReducing the amount of data transferred from the C2 and its application is, then,  crucial,  especially when you\r\nwant to exfiltrate data in a network that could be under a continuous traffic monitoring system.\r\nAs shown in Figure 17, WebSocket protocol is used by the C2 that sends specific commands that need to be\r\nexecuted on the phone (e.g, whoami, byebye_format, screen_capture, etc.). As far as we know, the malware (on\r\nconnection perspective) is in a waiting state most of the time, until the C2 issues commands instructing the app\r\nfor the next step.\r\nFigure 17 - factory reset command sent\r\nFinal Considerations\r\nThis research aims to show how BRATA is trying to reach out to new  targets and to develop new features. Since\r\nits discovery made by Karspesky in 2019, we were able to collect evidence and monitor how TAs are leveraging\r\nthis banking trojan for performing frauds, typically through unauthorized wire transfer (e.g. SEPA) or through\r\nInstant Payments, using a wide network of money mules accounts in multiple European countries.\r\nAccording to our findings, we can expect BRATA to keep staying undetected and to keep developing new\r\nfeatures.\r\nAppendix 1: IOCs\r\nIoC Description\r\n220ec1e3effb6f4a4a3acb6b3b3d2e90 BRATA.A\r\ne664bd7951d45d0a33529913cfbcbac0 BRATA.B\r\n2dfdce36a367b89b0de1a2ffc1052e24 BRATA.C (downloader)\r\n5[.]39[.]217[.]241 C2 server\r\nSource: https://www.cleafy.com/cleafy-labs/how-brata-is-monitoring-your-bank-account\r\nhttps://www.cleafy.com/cleafy-labs/how-brata-is-monitoring-your-bank-account\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA",
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.cleafy.com/cleafy-labs/how-brata-is-monitoring-your-bank-account"
	],
	"report_names": [
		"how-brata-is-monitoring-your-bank-account"
	],
	"threat_actors": [],
	"ts_created_at": 1775434234,
	"ts_updated_at": 1775826766,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/388f0d251267a3bffce339baa05fc669831e9f53.pdf",
		"text": "https://archive.orkl.eu/388f0d251267a3bffce339baa05fc669831e9f53.txt",
		"img": "https://archive.orkl.eu/388f0d251267a3bffce339baa05fc669831e9f53.jpg"
	}
}