[MART] - Daily Diary #394 - BrazKing, Another Brazilian Android Banking RAT

CTAS-MAT ctas-mat at appgate.com
Fri Nov 19 20:38:45 UTC 2021


Hello,

I hope everyone is doing well!

Below is the entry for today.

11/19/2021 - Diary entry #394:


As covered in our Daily #345, Remote Access Trojan, or RAT, is a malware with capabilities to provide remote control of an infected device to an attacker. Recently, a new version of an Android banking RAT was spotted. Named BrazKing (a.k.a. DefensorID), it targets mobile banking users in Brazil since 2020.


BrazKing is delivered by smishing (SMS messages) and its previous versions abused the accessibility permission, right after installing it, to detect launched applications by the victims. Then, when a targeted app was launched, it was shown an overlay screen - retrieved by a hardcoded URL - on top of the legitimate app. Now, BrazKing has evolved, returning with dynamic banking overlays and a feature that enables it to operate initially without requesting suspicious permissions such as Accessibility, to avoid analysis and detection just by installing the malware.


When installed, it requests the attacker's server, which replies asking the victim for permissions as needed during the attack. All detections are now done on the server-side, like detecting targeted apps launched. Besides RAT capabilities, BrazKing frequently sends on-screen content to the C&C, it has a keylogging feature, and it can read contact lists or SMS messages to grab 2FA codes. All that can be done just with Accessibility, without common permissions - such as READ_SMS or READ_CONTACTS.


Since BrazKing is not on Google Play Store, it's simple to avoid this threat, by not installing apps from unofficial sources and paying attention to every permission requested.

Kind Regards,

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/logo@2x.png]<https://www.appgate.com/>

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>



Felipe Tarijon de Almeida
Malware Analyst
Appgate

E: felipe.tarijon at appgate.com<mailto:felipe.tarijon at appgate.com>
O: +55 11 97467 9549

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20211119/fe7b2e21/attachment.htm>


More information about the MART mailing list