{
	"id": "89dbfeff-0d2d-49e4-9906-52ef098e65ce",
	"created_at": "2026-04-06T00:18:15.715611Z",
	"updated_at": "2026-04-10T03:20:47.978739Z",
	"deleted_at": null,
	"sha1_hash": "3c2d890546f91366a5cecb7a7983ce0b84858d5b",
	"title": "Brata - a tale of three families",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1190449,
	"plain_text": "Brata - a tale of three families\r\nPublished: 2024-10-01 · Archived: 2026-04-05 17:51:17 UTC\r\nIntro\r\nThe infosec community has a very long and undeniably bad record when it comes to naming malware families. May it be the\r\ntendency of calling anything new that appears in the wild a variation of the dreaded \u003cSome-string-i-found-in-the-malware\u003eBot, or the necessity to note down all the different aliases used by different vendors to refer to the same malware\r\nfamily.\r\nThis problem is known, and often joked about among researchers: in 2022 this issue has been evident with many malware\r\nfamilies, like Anatsa, beign known also as TeaBot or Toddler, and Cabassous, known also as Flubot.\r\nIt is not as common for the opposite problem to arise: it is infact quite rare for different malware families to share the same\r\nname. However, ThreatFabric believes this is exactly the case for what has been referred to as Brata.\r\nWe believe that what has been up to now categorized as Brata, is instead a conglomerate of 3 different families: Brata,\r\nAmexTroll, and Copybara.\r\nIn addition, for the for the first time we observed AmexTroll expanding its focus, from targeting only a few institutions in\r\nItaly, to featuring almost 50 different targets, among British and Australian institutions.\r\nThe Brata saga\r\nThe first appearance of this name dates back to middle of 2019, while this malware family was reported to abuse a CVE in\r\nthe popular instant messaging application WhatsApp to target victims in Brazil.\r\nThis malware family was also capable of keylogging data from victim’s devices thanks to Accessibility Service abuse, like\r\nmost modern malware families are able to do nowadays.\r\nThis campaign lasted about 6 months, and no new samples of this family were observed after the end 2019.\r\nhttps://www.threatfabric.com/blogs/brata-a-tale-of-three-families\r\nPage 1 of 14\n\nAfter these events, there was no mention of this malware family until the end of 2021, where reports of a new strain of Brata\r\ntargeting Italy started circulating. These reports were mentioning two new variants of Brata, this time active in Europe, more\r\nspecifically in Italy, with many new features and Modus Operandi.\r\nAccording to the research published, the two variants were supposed subsequent iterations of the same malware family.\r\nHowever, ThreatFabric observed these two families being distributed simultaneuously, and through different channels,\r\nthroughout the first half of 2022. We also believe these two families to be different in implementation and scope, and\r\nquite possibly operated by different actors. This is the reason why we do not refer to these families by the name Brata, but\r\nwith two separate, different, names:\r\nAmexTroll and Copybara.\r\nhttps://www.threatfabric.com/blogs/brata-a-tale-of-three-families\r\nPage 2 of 14\n\nThe incredible confusion within the Infosec community and financial institutions about AmexTroll and Copybara, and their\r\nalleged connections with Brata, pushed us to create this blog.\r\nThese two families share a few similarities, which led to this mistake in categorization. In addition, some leaked messages\r\nfrom the author of AmexTroll allegedly connect him to the development of the original Brata.\r\nHowever, the differences are evident and substantiate the need to differentiate between the two, despite the possibility of\r\nhaving the same threat actor behind them.\r\nSimilarities\r\nBasic 4 Android (B4A)\r\nThe two malware families do indeed share a few similarities in their overall design and development. Apart from being both\r\nAndroid Bankers, the most obvious commonality is the tools used for their development. Android natively supports two\r\nlanguages, Java and Kotlin. In addition, by using the JNI (Java Native Interface), developers can also interact with code\r\nwritten in C/C++, via a system of shared libraries.\r\nThe large majority of Android malware is developed using a combination of these two approaches. However, for both of\r\nAmexTroll and Copybara, the tool of choice is Basic 4 Android (from here onwards referred to as B4A).\r\nNOTE : ThreatFabric would like to note that B4A and the B4X suite are completely legitimate programs, and that\r\nthe developers that created this project have no control over the misuse of their software.\r\nhttps://www.threatfabric.com/blogs/brata-a-tale-of-three-families\r\nPage 3 of 14\n\nB4A belongs to the B4X suite, developed by “Anywhere Software”. Its name comes from its similarity to BASIC, despite it\r\nbeing an independent and proprietary language in its own. The framework relies on a combination of simple UI based\r\ndesigner tools and its BASIC-like language. The framework will then interpret the designs and code in the project and will\r\ncreate a corresponding, valid APK.\r\nAmexTroll and Copybara are not the only malware families built using this software, despite being arguably the most\r\nadvanced ones, and the appearance of such families roughly coincides with B4A becoming a free product.\r\nIn addition, this framework does not provide a built-in way to easily interact with the Accessibility services, but any average\r\ndeveloper should be able to implement a simple bridge class to interface the framework with. In both our cases, actors seem\r\nto be using modified versions of libraries published online by other B4A users on developer forums.\r\nCapabilities\r\nIn terms of capabilities, the two families do share a few common features. Most notably, they both are Android malware\r\nfamilies targeting mostly Italy. In addition they also operate similarly in the way they perform screenstreaming:\r\nboth generate a series of screenshots every few milliseconds, which then send to the C2 to mimic a real-time video stream.\r\nIn this way, operators on the other side can interact with the device remotely, allowing criminals to perform actions directly\r\non the infected device. This feature is the key to perform On-Device Fraud (ODF) once PIIs are exfiltrated, and is\r\nimplmented in both cases using libraries publicly available on the B4A forum.\r\nhttps://www.threatfabric.com/blogs/brata-a-tale-of-three-families\r\nPage 4 of 14\n\nBoth families also sport a relatively unique feauture, which allows to remotely initiate a factory reset on the device,\r\npotentially to disrupt investigations or clean the device from possible traces of infection. This feature is also not new, and\r\nwas observed mostly in CIS malware a few years ago. However, due to its disruptiveness and debatable usefulness, it has\r\nbeen mostly abandoned. The feature is implemented with the same exact code in the two families. The code is the following:\r\nif (accservice._manager.getEnabled()) {\r\n Reflection reflection0 = new Reflection();\r\n reflection0.Target = accservice._manager;\r\n reflection0.Target = reflection0.GetField(\"dm\");\r\n reflection0.RunMethod2(\"wipeData\", \"0\", \"java.lang.int\");\r\n return \"\";\r\n}\r\nHowever, it is worth noting that this code, as well as the code responsible for the screenshot stream, is also available online\r\non the B4A forum, published on public threads. Considering that both families also use other code, developed and published\r\nby other users on the same forum, it is not a sufficient motive to connect the two families.\r\nDifferences\r\nWhat follows is not an extensive description of the features of the two malware families, as that has been already done by\r\nother researchers. It is a study on the differences that motivate the need for a separate categorization.\r\nAmexTroll\r\nhttps://www.threatfabric.com/blogs/brata-a-tale-of-three-families\r\nPage 5 of 14\n\nThe AmexTroll family has been active since the second half of 2021, with a few initial test samples being distributed,\r\ntargeting Italian institutions. The first campaign was quite limited in size, and was followed a few months after, between the\r\nend of 2021 and the beginning of 2022, by more refined campaigns, still targeting Italy, posing as an array of security related\r\napplications.\r\nRecently, new developments brought this family on the spotlight again. The main reason behind this was the public\r\nannouncement done by the actor behind its development, very likely of Brazilian origin, who put it on the market for a beta\r\ntest of a rental scheme for his/her product. This was a notable event for this family, as up to this point it was privately ran.\r\nThe beta was able to find enough backers to proceed, as can be seen by the telegram account used to sell access to the bot:\r\nhttps://www.threatfabric.com/blogs/brata-a-tale-of-three-families\r\nPage 6 of 14\n\nAfter this announcement, the number of samples for this family started to increase, and so did the amount of different\r\napplications it poses as: mostly brazilian institutions as well as more generic security applications.\r\nOne feature that is specific to AmexTroll with respect to other malware families (but which incidentally exists also in the\r\noriginal Brata), is the “black overlay” feature. As the name implies, it simply consists of being able to generate a\r\ncompletely black overlay to display on the foreground of the device’s UI. This feature, despite being very simple, is also\r\nvery dangerous for infected victims.\r\nHere is the code responsible for this feature. As you can see, it sets up the overlay to have RGB values [0,0,0], which\r\ncorresponds to black, and opacity value equal to 1. After, it calls the method responsible for overlaying the screen on the\r\nforeground of the UI.\r\npublic static String _open_black_overlay(String opacity) throws Exception {\r\n PanelWrapper panelWrapper0 = new PanelWrapper();\r\n panelWrapper0.Initialize(websock_service.processBA, \"\");\r\n panelWrapper0.setColor(Colors.ARGB(((int) Double.parseDouble(opacity)), 0, 0, 0)); // int v = vnc_var._get_resoluti\r\n int v1 = vnc_var._get_resolution(websock_service.processBA, false);\r\n JavaObject javaObject0 = new JavaObject();\r\n javaObject0.InitializeContext(websock_service.processBA);\r\n javaObject0.RunMethod(\"criar_overlay_acess_simple\", new Object[] {\r\n panelWrapper0.getObject(), ((int) 0), ((int) 0), v, v1\r\n });\r\n overlay_var._setstate_locked(websock_service.processBA, false);\r\n websock_service._reset_overlay(false);\r\n websock_service._sender_sucessmessage(\"TRAVADO\");\r\n return \"\";\r\n}\r\nThe main MO of AmexTroll, which also differentiates it from Copybara, is the same overlay mechanism that is very\r\ncommon among other banking trojan families. Whenever the overlay is triggered, the bot automatically opens a WebView\r\nwith the corresponding phishing overlay to steal the wanted PII. The implementation slightly differs from the standard used\r\nin other families due to its development cycle, but the logical steps are the same.\r\nhttps://www.threatfabric.com/blogs/brata-a-tale-of-three-families\r\nPage 7 of 14\n\nInitially the targets returned were limited, and mostly focusing on the italian market. However, recently, a campaign that was\r\ndistributed through a dropper on the Google Play store, was observed targeting institutions from Australia and Great\r\nBritain. The intelligence of this dropper confirm that the campaign was live for only a few days, with thousands of\r\ndownloads in the aforementioned geolocations:\r\nCopybara\r\nThe Copybara family has also been active from the second half of 2021. The reason behind this might be found in the fact\r\nthat the B4A framework became a free product in February 2020. Its campaigns came into full scope in 2022, and differ\r\nhttps://www.threatfabric.com/blogs/brata-a-tale-of-three-families\r\nPage 8 of 14\n\nfrom AmexTroll for the reason that they are very focused not only on the Italian market, but also very specifically on\r\nsingular institutions.\r\nThe malware itself, similarly to AmexTroll, is able to create a remote connection with the C2 and allow criminals to\r\nperform On-Device Fraud on the infected device. However, Copybara greatly differs in the way that it obtains PIIs.\r\nSimilarly to AmexTroll, it features an overlay mechanism, but in this case it is specific to the application it is posing as (in a\r\nway that is very similar to what malware use to do before the use of accessibility services became prevalent). ThreatFabric\r\nhas found samples posing as a variety of italian institutions; however, the overlay is consistently the same within this set of\r\napplications.\r\nNewer variants of this family also introduced additional modules and APKs, which add functionalities to the malware\r\nitself. The main Copybara application is able to download an external module, capable of perfoming Accessibility event\r\nlogging, a feature that is extremely important when implementing On-Device Fraud, as it allows criminal to have a full\r\nvisibility and actionability on all the UI elements on the victim’s devices, as well as allowing to implement a very inclusive\r\nkeylogging mechanism.\r\nif (acs.GetIsStringTypeText().toString().length() \u003e 0 \u0026\u0026 accessibilityNodeInfo0 != null \u0026\u0026 (var1.getClassName().equals(\"a\r\n if (accessibilityNodeInfo0.getActionList().contains(AccessibilityNodeInfo.AccessibilityAction.ACTION_SET_TEXT)) {\r\n Bundle var4 = new Bundle();\r\n var4.putCharSequence(\"ACTION_ARGUMENT_SET_TEXT_CHARSEQUENCE\", acs.GetIsStringTypeText().toString());\r\n accessibilityNodeInfo0.performAction(0x200000, var4);\r\n } else if (TextUtils.isEmpty(accessibilityNodeInfo0.getText())) {\r\n accessibilityNodeInfo0.performAction(0x8000);\r\n } else if (!accessibilityNodeInfo0.getText().toString().toString().contains(acs.GetIsStringTypeText().toString())) {\r\n accessibilityNodeInfo0.performAction(0x8000);\r\n }\r\n acs.IsStringTypeText(\"\");\r\n}\r\nhttps://www.threatfabric.com/blogs/brata-a-tale-of-three-families\r\nPage 9 of 14\n\nCombined with the additional modules, copybara utilizes some companion apps that deal with SMS monitoring and refer to\r\nthe same C2 as the main malware. These apps are used to retrieve possible 2FA tokens from banks, as well as monitoring\r\neven further the device. These are also distributed through the same web phishing channels as Copybara.\r\nHowever, the real strength of Copybara lies within the criminal group behind it. The lack of flexibility in this malware\r\nfamily is greatly balanced by the care and precision of its social engineering approach.\r\nCopybara, by virtue of being privately run, is able to heavily rely on TOAD (Telephone-oriented attack delivery), which\r\ninvolves operators calling the victim to convince them to install and grant all the necessary permissions to function. This is\r\nthe main difference between this family and AmexTroll, and one of the main reasons why ThreatFabric feels very confident\r\nin differentiating these two families.\r\nUsers may be very skeptical about applications downloaded from the Web (problem that AmexTroll tackles by using\r\ndroppers on Google Play Store to gain trust from users).\r\nCopybara is distributed via SMiShing. Victims receive a SMS from their bank with a link, followed by a call by the\r\noperator to guide them through the process. The additional step of being called by an operator adds credibility to the\r\noperation, encouraging users to install the malware with the promise of being safer and more protected.\r\nThis approach is very effective, and justifies the nature of the malware itself. The group behind Copybara works with much\r\nmore limited numbers of infections, due to the necessity of an operator interaction with the victim. However, this step also\r\nensures a much higher success rate. This also may be the reason why this family is heavily focused on the italian market.\r\nThis approach requires to heavily tailor the process to the banking institution targeted, so it makes sense for criminals to\r\nfocus on one language at a time.\r\nConclusions\r\nThe mobile malware landscape is continuously evolving and mobile users are continuously facing new and different threats.\r\nIn 2022, ThreatFabric has observed a strong shift towards On-Device Fraud. AmexTroll and Copybara confirm this trend,\r\nwhile adding their own flair to the standard Android Banking Malware features, one being technical addition to make\r\nhttps://www.threatfabric.com/blogs/brata-a-tale-of-three-families\r\nPage 10 of 14\n\ninfection stealthier and more effective, the other relying on the human aspect of phishing, to literally coach victims into\r\ncorrectly infecting their own devices.\r\nThreatFabric expects to see more from both of these families, which are alive and active at the time of writing this blog.\r\nMTI \u0026 CSD\r\nOur Mobile Threat Intelligence (MTI) service provides financial institutions with a better visibility on the increasing threat\r\nof mobile banking malware. Banks who are using MTI understand which malware campaigns are targeting their mobile\r\nchannel and how their mobile banking users are impacted.\r\nWith our Client Side Detection (CSD) service we are helping financial institutions to gain visibility on (potential) fraud by\r\nmobile banking malware, and to prevent it. If you would like to know more about how we use our mobile threat intelligence\r\nto detect mobile banking malware on mobile devices, feel free to reach out to sales@threatfabric.com.\r\nAppendix\r\nBrata Samples\r\nApp name Package name SHA-256\r\nAtualização\r\nWhatsApp\r\ncom.da9d84d1 22a841da43ced0f2bb829780a4aa6a2ffaeb56d2a5e98d2f1bd62e1b8d70b967\r\ncom.helper.android com.helper.android 91ab6e70655abdef8e79eaeb0d83c02246037e2fc168eec956192fac4fcecea6\r\nVivo Internet\r\nGratis\r\ncom.vivointernetgratis 4c57c5eae5a1bae1a50beed28affdff722c89416886e5eda8088a06771cc29c8\r\nAtualização WA\r\n2.5\r\ncom.waatt25 fa816c631249922539eeeb3e8f73d3ef4ea997ab729751adebcea3d0de32a63b\r\nAmexTroll Samples\r\nApp name Package name SHA-256\r\nA Shield Auth horse.house.homer f530c66fb1f7ac5e2e9a89c1f410e498dc59eecbec8bae29a9f69ab3dc7ce86c\r\n1. Itau\r\nModulo\r\nSegurança\r\nkoala.viber.vip 02aa9061b47762ce1627d38195097c0e791864004e509598269ffa8fb2e25103\r\n1. TEST APP\r\nKOALA (Test\r\napp)\r\nmalware.malware.virus 1032b42c859c747bcc159b75366c3325869d3722f5673d13a7b06633245ebf32\r\n1.\r\nSICUREZZA\r\nANTISPAM\r\nkoala.kerox.vip 38952ffe92afea051cea6de48b765274f5344ae2add07820995340faf546e220\r\nCopybara Samples\r\nhttps://www.threatfabric.com/blogs/brata-a-tale-of-three-families\r\nPage 11 of 14\n\nApp name Package name SHA-256\r\nBanca Sicura com.com.app.isp 4074d2c885462ffb52d5ffb7d024ad1e7c50aa794bea3a0c9f2292fcebc7018f\r\nToken ISP com.apk.isp.intesa 1698e5a1425903d576d4eeb8e25b0ec4f1091971cea3a61bfb83c2a5b514e306\r\nUniCredit\r\nSicura\r\ncom.app.app.unicredit 7386eac4c4093b2ab433131edef48a2846ed11ce7d58e7069fe5531ae549f29c\r\nBanca Sicura com.banca.sicura.app 94f1a33d4f3bd94f65f8969f288fe01a198952c17e52c9e86e4047222d45f0ce\r\nAmexTroll targets\r\nPackageName AppName\r\nau.com.bankwest.mobile Bankwest\r\nau.com.commbank.commbiz.prod CommBiz\r\nau.com.cua.mb CUA Mobile Banking\r\nau.com.hsbc.hsbcaustralia HSBC Australia\r\nau.com.macquarie.banking Macquarie Mobile Banking\r\nau.com.mebank.banking ME Bank\r\nau.com.nab.mobile NAB Mobile Banking\r\nau.com.newcastlepermanent NPBS Mobile Banking\r\nau.com.rams.RAMS myRAMS\r\nau.com.suncorp.rsa.suncorpsecured Suncorp Secured\r\nau.com.suncorp.SuncorpBank Suncorp Bank\r\nau.com.ubank.internetbanking UBank Mobile Banking\r\nco.zip Zip - Shop Now, Pay Later\r\ncom.anz.android.gomoney ANZ Australia\r\ncom.anz.transactive.global ANZ Transactive - Global\r\ncom.bankofqueensland.boq BOQ Mobile\r\ncom.bendigobank.mobile Bendigo Bank\r\ncom.commbank.netbank CommBank\r\ncom.fusion.banking Bank Australia app\r\ncom.fusion.beyondbank Beyond Bank Australia\r\ncom.greater.Greater Greater Bank\r\nhttps://www.threatfabric.com/blogs/brata-a-tale-of-three-families\r\nPage 12 of 14\n\nPackageName AppName\r\ncom.hsbc.hsbcnet HSBCnet Mobile\r\ncom.virginmoney.cards Virgin Money Credit Card\r\norg.banking.bom.businessconnect Bank of Melbourne Business App\r\norg.banking.bsa.businessconnect BankSA Business App\r\norg.banking.stg.businessconnect St.George Business App\r\norg.banksa.bank BankSA Mobile Banking\r\norg.bom.bank Bank of Melbourne Mobile Banking\r\norg.stgeorge.bank St.George Mobile Banking\r\norg.westpac.bank Westpac Mobile Banking\r\norg.westpac.col Westpac Corporate Mobile\r\nco.uk.Nationwide.Mobile Nationwide Banking App\r\ncom.barclaycardus Barclays US\r\ncom.cooperativebank.bank The Co-operative Bank\r\ncom.grppl.android.shell.CMBlloydsTSB73 Lloyds Bank Mobile Banking: by your side\r\ncom.grppl.android.shell.halifax Halifax: the banking app that gives you extra\r\ncom.ie.capitalone.uk Capital One UK\r\ncom.nearform.ptsb permanent tsb\r\ncom.rbs.mobile.android.natwest NatWest Mobile Banking\r\ncom.revolut.revolut Revolut - Get more from your money\r\ntsb.mobilebanking TSB Bank Mobile Banking\r\nuk.co.hsbc.hsbcukmobilebanking HSBC UK Mobile Banking\r\nuk.co.metrobankonline.mobile.android.production Metro Bank\r\nuk.co.santander.santanderUK Santander Mobile Banking\r\nuk.co.tsb.newmobilebank TSB Mobile Banking\r\nit.carige Carige Mobile\r\nCopybara targets\r\nhttps://www.threatfabric.com/blogs/brata-a-tale-of-three-families\r\nPage 13 of 14\n\nBank\r\nUnicredit Banca\r\nBanca Intesa\r\nBNP\r\nBPER Banca\r\nPoste Italiane\r\nSource: https://www.threatfabric.com/blogs/brata-a-tale-of-three-families\r\nhttps://www.threatfabric.com/blogs/brata-a-tale-of-three-families\r\nPage 14 of 14\n\nCopybara The Copybara family has also been active from the second half of 2021. The reason behind this might be found in the fact\nthat the B4A framework became a free product in February 2020. Its campaigns came into full scope in 2022, and differ\n   Page 8 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.threatfabric.com/blogs/brata-a-tale-of-three-families"
	],
	"report_names": [
		"brata-a-tale-of-three-families"
	],
	"threat_actors": [],
	"ts_created_at": 1775434695,
	"ts_updated_at": 1775791247,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3c2d890546f91366a5cecb7a7983ce0b84858d5b.pdf",
		"text": "https://archive.orkl.eu/3c2d890546f91366a5cecb7a7983ce0b84858d5b.txt",
		"img": "https://archive.orkl.eu/3c2d890546f91366a5cecb7a7983ce0b84858d5b.jpg"
	}
}