Researchers at Kaspersky have described a new remote access trojan (RAT), specifically targeting Android users in Brazil. They have named the malware BRATA, a name created via the contraction of “Brazilian RAT Android.” The first variant was detected in early 2019, with an excess of 20 variants since BRATA was first reported on. The RAT has been distributed by the Google Play Store, in addition to other unaffiliated app stores.

The attackers have used multiple methods to infect users. Most commonly, variants claimed to be updates to the popular WhatsApp messaging application. However other infection vectors have also included messages sent using WhatsApp, SMS messages or links in sponsored Google search results.

The RAT is capable of keylogging and can capture the user’s screen contents and stream it in real time to the attackers. It can also turn off the screen, or alternatively make it appear the screen is turned off, so that it can perform actions without the user’s knowledge. Additionally, as with most RATs, it can launch any installed applications and uninstall itself.

When/How Did BluVector Detect It?

Three samples are publicly available and BluVector’s patented Machine Learning Engine (MLE) detected the trojan in all of those samples. Regression testing has shown that the samples would have been detected 25 months prior to their release. Note: BluVector would only detect the malware if the Android device was connected to a corporate network monitored by BluVector.