Skip to main content

Look out — this Android malware can steal your money and then wipe your phone

Green skull on smartphone screen.
(Image credit: Shutterstock)

Update: Not even antivirus apps are safe for you to download, so be vigilant about what you install

A well-known Android banking Trojan has developed a frightening new twist: It can factory-wipe your phone after it's done cleaning out your bank account.

The BRATA malware, or Brazil Remote Access Tool, was first spotted as spyware (opens in new tab) in Brazil in 2019. It has since spread through Latin America and jumped the Atlantic to attack Italian and Spanish bank customers. 

In a report posted yesterday (Jan. 24), fraud-fighting firm Cleafy (opens in new tab) said BRATA is now targeting the UK and Poland and may be setting its sights on China.

Cleafy said BRATA has introduced a "kill switch" that lets the criminals who remotely control infected phones factory-reset the devices. This is useful if the crooks detect that their malicious app is running in a virtual environment, commonly used by security researchers, but also makes it harder for victims to tell that they've been robbed.

The new versions of BRATA also may be able track you through GPS, although Cleafy said that function isn't yet fully developed.

How the BRATA attack works

A BRATA attack begins with a SMS text message that seems to come from your bank, Cleafy explained (opens in new tab). The text says you have to take urgent action to protect yourself, and includes a link that will help you do so. 

Click on the link, and you'll be taken to a mobile-only webpage that mimics your bank's website. You're invited to download some sort of security app directly from the "bank" website. 

At this point, a helpful "support technician" calls you and walks you through the process of installing the app — it's tricky because it's not an app found in the Google Play store — and then granting the app special permissions.

Of course, the technician is really a crook, and the permissions you've given the new app hand over control of your phone. They include the abilities to see what you type and do on the phone, make phone calls, send and view text messages, access saved photos and files and — most importantly — act as a "device administrator" that can lock and unlock the screen, modify system settings and remote wipe the device.

Needless to say, these permissions are far beyond what most Android apps ask for, or even what other Android banking Trojans demand. But it's what many of the best Android antivirus apps do need to operate properly, so many users might be fooled.

With all these permissions granted, the fake security app has the ability to log your keystrokes, intercept and forward SMS messages (including texted security codes from a bank), record your screen, "overlay" the screen to capture passwords and PINs, uninstall other apps (including antivirus apps), disable Google Play Protect, unlock or black out the screen, set the ring volume to zero to mute incoming calls and grant permissions to other apps.

All of these abilities are very useful if, like the crooks behind the BRATA Trojan, you want to attack users' online banking apps. BRATA communicates with a human operator who, once they have gained your login credentials, can use the permissions to interact with your banking app, capture verification codes and move money out of your account.

How to protect yourself from banking Trojans

There's no foolproof way to avoid banking Trojans on an Android phone, but you can take several steps to minimize your risk.

1. Don't install apps from outside the Google Play store. Malware does get into Google Play sometimes, but "off-road" apps are a much greater risk. 

2. Don't trust SMS texted security alerts that seem to come from your bank. Instead of responding to the message or clicking on a link, check to see if the alert is real by calling the bank support number printed on the back of your ATM or credit card — not a phone number in the SMS message.

3. When banking online from a desktop, check the URL in the browser's address bar to make sure it's really the bank's site. 

4. When banking online on a mobile device, don't use a browser — you often won't be able to see the entire URL. Use the bank's dedicated app instead.

5. Set up two-factor authentication on your online bank account if your bank hasn't instituted it already. 

6. Install and use one of the best Android antivirus apps. The BRATA malware will try to uninstall these apps, but many of them will detect and block BRATA before it gets a chance to do so.

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.