S1094: BRATA
BRATA (Brazilian Remote Access Tool, Android), is an evolving Android malware strain, detected in late 2018 and again in late 2021. Originating in Brazil, BRATA was later also found in the UK, Poland, Italy, Spain, and USA, where it is believed to have targeted financial institutions such as banks. There are currently three known variants of BRATA.[1][2][3]
Analyst context for executives and security teams
BRATA is an Android malware entry in ATT&CK associated with remote-access-style mobile capabilities and reported targeting of financial institutions. Its practical significance is that it combines mobile credential/input collection, screen capture, local data access, location awareness, web-protocol communications, and multiple evasion behaviors. For leaders, this is a reminder that mobile risk is not only device loss or phishing; compromised Android endpoints can affect banking workflows, customer or employee identity protection, fraud response, and incident evidence quality.
Executive priority
Prioritize BRATA as a mobile-banking and Android endpoint risk scenario where the organization depends on mobile access to financial, identity, or operational systems. Useful leadership questions include: Do we have visibility into managed Android devices? Can we prove which apps, permissions, accessibility-service usage, and network destinations are allowed? Are incident responders prepared to preserve mobile evidence when malware may uninstall itself or hide behavior? For regulated environments, coverage decisions should map to audit evidence for mobile device management, acceptable app sources, permission governance, phishing readiness, and detection of data exfiltration over normal web traffic.
Technical view
ATT&CK lists BRATA for Android and relates it to techniques including obfuscated files, software packing, downloading new code at runtime, keylogging, GUI input capture, security software discovery, system information discovery, location tracking, web-protocol C2, screen capture, input injection through accessibility APIs, local data collection, call control, geofencing, user evasion, disabling or modifying tools, uninstalling the malicious application, system checks, transmitted data manipulation, exfiltration over C2, matching legitimate names or locations, and phishing. SOC and IR teams should validate mobile telemetry around suspicious app installs, excessive permissions, accessibility abuse, runtime code loading, foreground screen or input capture indicators, unusual outbound web traffic, and application self-removal or security-tool interference. Because the official ATT&CK object provides no detection text, detection engineering should be technique-led rather than relying on a single BRATA-specific rule.
Likely telemetry
- Android application inventory, package names, icons, install source, and install/update timestamps
- Mobile device management or enterprise mobility management records for app allow/deny status and device posture
- Android permission grants, especially accessibility, location, phone/call, screen capture/media projection, and storage-related access where available
- Runtime indicators such as dynamic code loading or downloaded secondary code after installation
- Network telemetry for mobile devices, especially HTTP/HTTPS destinations, timing, volume, and repeated command-and-control-like patterns
Detection direction
- Build detections around the related behaviors rather than the malware name alone, especially accessibility abuse, GUI input capture, screen capture, runtime code download, and exfiltration over web protocols.
- Tune mobile-app risk scoring for applications that mimic legitimate names, icons, or package locations, request high-risk permissions, or change behavior after installation.
- Correlate phishing reports or suspicious app-install events with subsequent permission grants, location access, outbound web traffic, or security-tool discovery/tampering.
- Account for evasion blind spots: packing and obfuscation can reduce static-analysis value, runtime code download can bypass pre-publication scanning, geofencing and system checks can suppress behavior in test environments, and self-uninstall can reduce forensic artifacts.
- Separate benign administrative or accessibility use from suspicious patterns by validating business-approved apps, documented accessibility needs, managed-device baselines, and expected mobile network destinations.
Mitigation priorities
- Start with mobile governance: restrict app installation sources where feasible, maintain approved app inventories, and enforce MDM/EMM posture controls for Android devices used in business workflows.
- Harden permissions: review and limit accessibility-service use, location access, call-control permissions, storage access, and screen-capture permissions to documented business needs.
- Improve phishing resilience for mobile users, including reporting paths for suspicious links, prompts, and app installation requests.
- Require mobile incident response procedures that preserve evidence quickly, because related behaviors include uninstalling the malicious application and disabling or modifying tools.
- Use layered mobile security controls that combine app reputation, behavioral analysis, network monitoring, and device posture rather than depending only on static signatures.
Analyst notes and limits
The ATT&CK record identifies BRATA as Android malware, detected in late 2018 and again in late 2021, originating in Brazil and later reported in the UK, Poland, Italy, Spain, and the USA, with believed targeting of financial institutions such as banks. The relationship set is rich and should drive defensive validation: collection, credential/input capture, evasion, C2 over web protocols, exfiltration, and anti-analysis behaviors are all represented. This take intentionally does not assert current activity, specific victims, or guaranteed detection coverage.
Official detection guidance is not provided, tactics are not specified in the supplied object, and the related technique descriptions are behavioral context rather than proof of what any specific local sample or incident will do. Local telemetry, managed-device scope, app inventory, mobile network visibility, and IR evidence are required to determine actual exposure and coverage.
BRATA
BRATA (Brazilian Remote Access Tool, Android), is an evolving Android malware strain, detected in late 2018 and again in late 2021. Originating in Brazil, BRATA was later also found in the UK, Poland, Italy, Spain, and USA, where it is believed to have targeted financial institutions such as banks. There are currently three known variants of BRATA.[1][2][3]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1407 | Download New Code at Runtime | BRATA has used an initial dropper to download an additional malicious application, and downloads its configuration file from the C2 server.Citationcleafy_brata_0122Citationmcafee_brata_0421 |
| Mobile | T1430 | Location Tracking | BRATA can track the device's location.Citationcleafy_brata_0122 |
| Mobile | T1630.001 | Uninstall Malicious Application Sub-technique | BRATA can uninstall itself and remove traces of infection.Citationsecurelist_brata_0819Citationmcafee_brata_0421 |
| Mobile | T1513 | Screen Capture | BRATA can capture and send real-time screen output.Citationsecurelist_brata_0819Citationmcafee_brata_0421 |
| Mobile | T1461 | Lockscreen Bypass | BRATA can request the user unlock the device, or remotely unlock the device.Citationsecurelist_brata_0819 |
| Mobile | T1662 | Data Destruction | BRATA can perform a factory reset.Citationcleafy_brata_0122 |
| Mobile | T1417.001 | Keylogging Sub-technique | BRATA can log device keystrokes.Citationsecurelist_brata_0819Citationcleafy_brata_0122Citationmcafee_brata_0421 |
| Mobile | T1641.001 | Transmitted Data Manipulation Sub-technique | BRATA has injected string contents into the device clipboard.Citationmcafee_brata_0421 |
| Mobile | T1426 | System Information Discovery | BRATA can retrieve Android system and hardware information.Citationsecurelist_brata_0819 |
| Mobile | T1406 | Obfuscated Files or Information | BRATA has employed code obfuscation and encryption of configuration files.Citationcleafy_brata_0122Citationmcafee_brata_0421 |
| Mobile | T1629.003 | Disable or Modify Tools Sub-technique | BRATA can remove installed antivirus applications as well as disable Google Play Protect.Citationcleafy_brata_0122Citationmcafee_brata_0421 |
| Mobile | T1627.001 | Geofencing Sub-technique | BRATA has performed country and language checks.Citationmcafee_brata_0421 |
| Mobile | T1418.001 | Security Software Discovery Sub-technique | BRATA can search for specifically installed security applications.Citationcleafy_brata_0122 |
| Mobile | T1633.001 | System Checks Sub-technique | BRATA can check to see if it has been installed in a virtual environment.Citationmcafee_brata_0421 |
| Mobile | T1616 | Call Control | BRATA can hide incoming calls by setting ring volume to 0 and showing a blank screen overlay.Citationmcafee_brata_0421 |
| Mobile | T1646 | Exfiltration Over C2 Channel | BRATA has exfiltrated data to the C2 server using HTTP requests.Citationcleafy_brata_0122 |
| Mobile | T1655.001 | Match Legitimate Name or Location Sub-technique | BRATA has masqueraded as legitimate WhatsApp updates and app security scanners.Citationsecurelist_brata_0819Citationmcafee_brata_0421 |
| Mobile | T1628.002 | User Evasion Sub-technique | BRATA can turn off or fake turning off the screen while performing malicious activities.Citationsecurelist_brata_0819 |
| Mobile | T1437.001 | Web Protocols Sub-technique | BRATA can use both HTTP and WebSockets to communicate with the C2 server.Citationcleafy_brata_0122 |
| Mobile | T1516 | Input Injection | |
| Mobile | T1532 | Archive Collected Data | BRATA has compressed data with the `zlib` library before exfiltration.Citationcleafy_brata_0122 |
| Mobile | T1663 | Remote Access Software | BRATA can view a device through VNC.Citationcleafy_brata_0122 |
| Mobile | T1664 | Exploitation for Initial Access | BRATA has abused WhatsApp vulnerability CVE-2019-3568 to achieve initial access.Citationsecurelist_brata_0819 |
| Mobile | T1417.002 | GUI Input Capture Sub-technique | BRATA can use tailored overlay pages to steal PINs for banking applications.Citationcleafy_brata_0122 |
| Mobile | T1660 | Phishing | BRATA has been distributed using phishing techniques, such as push notifications from compromised websites.Citationsecurelist_brata_0819 |
| Mobile | T1533 | Data from Local System | BRATA has collected account information from compromised devices.Citationsecurelist_brata_0819 |
| Mobile | T1406.002 | Software Packing Sub-technique | BRATA has utilized commercial software packers.Citationmcafee_brata_0421 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 9ddc47946a43… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
securelist_brata_0819
Securelist. (2019, August 29). Fully equipped Spying Android RAT from Brazil: BRATA. Retrieved December 18, 2023.
Open source URL -
[2]
cleafy_brata_0122
Federico Valentini, Francesco Lubatti. (2022, January 24). How BRATA is monitoring your bank account. Retrieved December 18, 2023.
Open source URL -
[3]
mcafee_brata_0421
Fernando Ruiz. (2021, April 12). BRATA Keeps Sneaking into Google Play, Now Targeting USA and Spain. Retrieved December 18, 2023.
Open source URL -
[4]
mitre-attack S1094Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.