{
	"id": "55704318-b42f-47bd-a91b-0ea1862cce24",
	"created_at": "2026-04-06T00:11:33.700145Z",
	"updated_at": "2026-04-10T03:20:01.122821Z",
	"deleted_at": null,
	"sha1_hash": "3d77f0bc3c9bbd04786f4ef691a05cf43f2da33e",
	"title": "Mobile banking fraud: BRATA strikes again",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3165687,
	"plain_text": "Mobile banking fraud: BRATA strikes again\r\nBy Federica Abbinante, Francesco Iubatti\r\nArchived: 2026-04-05 14:24:38 UTC\r\nExecutive Summary\r\nIn the past year, we observed in the Cleafy platform a spike of Android RAT infections caused by the increase of\r\nAndroid Banking Trojan used to perform fraudulent activities, usually combined with smishing and social\r\nengineering attack patterns. Simultaneously, we noticed a decrease in SIM swap attacks, possibly related to the\r\nfact that they are less scalable than the widely used malware as a service (MaaS) pattern.\r\nWhat makes Android RAT so interesting for attackers is its capability to operate directly on the victim devices\r\ninstead of using a new device. By doing so, Threat Actors (TAs) can drastically reduce the possibility of being\r\nflagged \"as suspicious\", since the device's fingerprinting is already known to the bank.\r\nIn this report, we analyze the attack chain and the modus operandi used by Threat Actors, from the sending of the\r\nmalicious SMS to the fraudulent transaction carried out through an app installed in the infected device.\r\nMoreover, we highlight the main indicators to explain the attack chain used by these TAs:\r\nThe malware campaign targets mainly one of the biggest Italian retail banks as well as other minor banks.\r\nHowever, we don't exclude that other local TAs might be using the same attack vector (BRATA) to carry\r\nover other malicious activities in other countries.\r\nSmishing and phishing attacks are used to distribute malicious apps and credentials harvesting.\r\nA new version of the BRATA malware is used to infect the device of the victims.\r\nA combination of both social engineering techniques and the complete control of the infected device is\r\nused by TAs to perform fraudulent transactions.\r\nhttps://www.cleafy.com/cleafy-labs/mobile-banking-fraud-brata-strikes-again\r\nPage 1 of 11\n\nFigure 1 - BRATA distribution and modus operandi\r\nIntroduction\r\nAt the end of June 2021, the Cleafy Threat Intelligence and Incident Response team intercepted for the first time a\r\nnew aggressive smishing campaign that was delivering multiple fake applications called “Sicurezza Dispositivo''\r\n(or “AntiSPAM”'). The campaign targeted the customers of one of the biggest Italian retail banks.\r\nhttps://www.cleafy.com/cleafy-labs/mobile-banking-fraud-brata-strikes-again\r\nPage 2 of 11\n\nFigure 2 - Some BRATA samples and related occurrences\r\nAfter the first wave, lasted from June to mid-September, the attack stopped for about a month.  In mid-October,\r\nour TIR team discovered that new samples called “Sicurezza Avanzata” were again in action and were targeting\r\nmainly the customers of three Italian banks. This time the malware was almost undetectable by antivirus solutions\r\n(as shown in Figure 3).\r\nFigure 3 - Difference between two BRATA samples detected by antivirus solutions\r\nHow the BRATA malware works\r\nIn June 2021, for the first time we detected on Cleafy’s dashboards a new variant of BRATA malware. After a\r\ncouple of weeks, a customer reported to us some incidents related to the same campaign.\r\nFigure 4 - Example of BRATA malware intercepted and blacklisted in Cleafy console\r\nhttps://www.cleafy.com/cleafy-labs/mobile-banking-fraud-brata-strikes-again\r\nPage 3 of 11\n\nThanks to an in-depth technical analysis of the Indicators of Compromise intercepted, we were able to reconstruct\r\nthe detailed chain of events and the methodologies used by these Threat Actors to conduct bank frauds.\r\nThe attack chain usually starts with a fake SMS containing a link to a website. The SMS seems to come from the\r\nbank (the so-called spoofing scam), and it tries to convince the victim to download an anti-spam app, with the\r\npromise to be contacted soon by a bank operator.\r\nFigure 5 - Example of one of the SMS received from the victim\r\nIn some cases, the link redirects the victim to a phishing page that looks like the bank’s, and it is used to steal\r\ncredentials and other relevant information (e.g. fiscal code and security questions).\r\nFigure 6 - Phishing kit used by TAs to deliver BRATA and for credential harvesting\r\nhttps://www.cleafy.com/cleafy-labs/mobile-banking-fraud-brata-strikes-again\r\nPage 4 of 11\n\nFigure 7 - Example of information stolen by BRATA group\r\nAfter the victim visits the website (only visible via mobile[1]) and downloads the malicious app, a fraud operator\r\ncalls the victim and uses social engineering techniques to persuade the user to install the malicious app.\r\nhttps://www.cleafy.com/cleafy-labs/mobile-banking-fraud-brata-strikes-again\r\nPage 5 of 11\n\nFigure 8 - Example of website used to spread BRATA malware in Italy\r\nDuring the installation phases of the malware (Figure 9), multiple permissions are required to allow the attackers\r\nto perform fraudulent activities.\r\nOnce the malicious app is installed, the fraud operators can take control of the victim infected devices thanks to\r\nthe abuse of the Accessibility services, the SMS permission, and the recording/casting module of the malware.\r\nhttps://www.cleafy.com/cleafy-labs/mobile-banking-fraud-brata-strikes-again\r\nPage 6 of 11\n\nFigure 9 - Installation phase of BRATA malware on Android device\r\nThrough the malware installed on the victim device, Threat Actors can receive on their server the 2FA code sent\r\nby the bank and perform fraudulent transactions. Therefore, as we observed also in other scenarios, with the abuse\r\nof Accessibility Service and the screen recording, TAs can perform actions on the infected device with the help of\r\nsocial engineering used to persuade the victim.\r\nhttps://www.cleafy.com/cleafy-labs/mobile-banking-fraud-brata-strikes-again\r\nPage 7 of 11\n\nFigure 10 - Example of fraud transactions performed by TAs inside the infected device\r\nAs shown in Figure 11, we also intercepted multiple attempts of pin/otp validations stolen by TAs through the\r\nmalicious app (or phishing website). This specific pattern was observed also in other past campaigns of mobile\r\nand workstation malware.\r\nFigure 11 - Attempt to use stolen credentials intercepted in Cleafy Console\r\nThe mule accounts used by the BRATA malware campaign mainly come from Italy, as well as from Lithuania and\r\nthe Netherlands, as shown in Figure 12. From this information, we assume that the TAs behind these campaigns\r\ncould come from European countries unlike the previous BRATA malware campaign observed in Brazil in 2019.\r\nhttps://www.cleafy.com/cleafy-labs/mobile-banking-fraud-brata-strikes-again\r\nPage 8 of 11\n\nFigure 12 - Distribution of mule used by BRATA campaign\r\n[1] TAs used a legitimate open source project (https://github.com/serbanghita/Mobile-Detect) to detect if the\r\nwebsite is opened with a mobile phone or a PC.\r\nBRATA main functionalities and capabilities\r\nBy analyzing the code of the malicious apps, it was possible to trace back the threat to the BRATA malware, a\r\nBrazilian malware discovered in 2019. However, these new samples present multiple differences compared to the\r\nprevious one.\r\nSeveral Portuguese/Brazilian logs embedded in the malicious app are shown to the victim in Italian. Our\r\nassumption is that, perhaps, the group responsible for maintaining the BRATA codebase, probably located in the\r\nLATAM area, is reselling this malware to other local groups. As a result, this threat is gradually expanding in\r\nseveral European countries.\r\nhttps://www.cleafy.com/cleafy-labs/mobile-banking-fraud-brata-strikes-again\r\nPage 9 of 11\n\nFigure 13 - Some BRATA logs (on the left) and a screen with Italian text (on the right)\r\nLike other Android bankers previously appeared online (e.g., Teabot[2], Alien, Oscorp[3], etc.), this version of\r\nBRATA has RAT capabilities. The main difference resides in the implementation used to develop the malware:\r\nTAs used the b4a framework[4], already used by another Brazilian banker in 2019, called BasBanker. One of the\r\nreasons behind this choice is the possibility to import modules already designed by other developers. This\r\ncharacteristic may allow the TAs to speed up the implementation of new features or the malware itself.\r\nFigure 14 - List of commands used by BRATA malware\r\nThe main functionalities of this new version of BRATA are not very different from other “famous” banking trojan:\r\nIntercept SMS messages and forward them to a C2 server. This feature is used to get 2FA sent by the bank\r\nvia SMS during the login phase or to confirm money transactions.\r\nScreen recording and casting capabilities that allow the malware to capture any sensitive information\r\ndisplayed on the screen. This includes audio, passwords, payment information, photo, and messages (as\r\nshown in Figure 15). Through the Accessibility Service, the malware clicks the “start now” button (of the\r\npopup) automatically, so the victim is not able to deny the recording/casting of the owned device.\r\nRemove itself from the compromised device to reduce detection.\r\nUninstall specific applications (e.g., antivirus).\r\nHide its own icon app to be less traceable by not advanced users.\r\nDisable Google Play Protect to avoid being flagged by Google as suspicious app.\r\nModify the device settings to get more privileges.\r\nUnlock the device if it is locked with a secret pin or pattern.\r\nShow phishing page.\r\nAbuse the accessibility service to read everything that is shown on the screen of the infected device or to\r\nsimulate click on the screen. This information is then sent to the C2 server of the attackers.\r\n[2] https://www.cleafy.com/cleafy-labs/teabot\r\n[3] https://www.cleafy.com/cleafy-labs/ubel-oscorp-evolution\r\n[4] https://www.b4x.com/b4a.html\r\nConclusion\r\nThe Android Banking Trojan BRATA is already classified and blacklisted in our Threat Intelligence data with the\r\nfollowing tags:\r\nASK_BANKER_ANDROID_BRATA_V1\r\nASK_BANKER_ANDROID_BRATA_V2\r\nhttps://www.cleafy.com/cleafy-labs/mobile-banking-fraud-brata-strikes-again\r\nPage 10 of 11\n\nAppendix 1: IOCs\r\nFirst campaign (June-mid September)\r\nMD5 App Name Package Name\r\ned63a9c22b2a6d39f11dfcee8925d306 Sicurezza Dispositivo b4a.example\r\n3cd6c14061a891c4a1525ac1a4609137 AntiSpam com.dasjn023.dmindnasiod\r\nSecond campaign (October)\r\nMD5 App Name Package Name\r\n8a10f6600be239a246e93cca0e7a69b0 Sicurezza Avanzata com.voip.ffnenne\r\nURL Description\r\n23.254.228.221:17178 BRATA C2\r\nhttps[:]//bpweb-passadore[.]com URL used to distribute the malicious app\r\nSource: https://www.cleafy.com/cleafy-labs/mobile-banking-fraud-brata-strikes-again\r\nhttps://www.cleafy.com/cleafy-labs/mobile-banking-fraud-brata-strikes-again\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://www.cleafy.com/cleafy-labs/mobile-banking-fraud-brata-strikes-again"
	],
	"report_names": [
		"mobile-banking-fraud-brata-strikes-again"
	],
	"threat_actors": [],
	"ts_created_at": 1775434293,
	"ts_updated_at": 1775791201,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3d77f0bc3c9bbd04786f4ef691a05cf43f2da33e.pdf",
		"text": "https://archive.orkl.eu/3d77f0bc3c9bbd04786f4ef691a05cf43f2da33e.txt",
		"img": "https://archive.orkl.eu/3d77f0bc3c9bbd04786f4ef691a05cf43f2da33e.jpg"
	}
}