Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S1094: BRATA

BRATA (Brazilian Remote Access Tool, Android), is an evolving Android malware strain, detected in late 2018 and again in late 2021. Originating in Brazil, BRATA was later also found in the UK, Poland, Italy, Spain, and USA, where it is believed to have targeted financial institutions such as banks. There are currently three known variants of BRATA.[1][2][3]

MobileS1094MalwareObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

BRATA is an Android malware entry in ATT&CK associated with remote-access-style mobile capabilities and reported targeting of financial institutions. Its practical significance is that it combines mobile credential/input collection, screen capture, local data access, location awareness, web-protocol communications, and multiple evasion behaviors. For leaders, this is a reminder that mobile risk is not only device loss or phishing; compromised Android endpoints can affect banking workflows, customer or employee identity protection, fraud response, and incident evidence quality.

Executive priority

Prioritize BRATA as a mobile-banking and Android endpoint risk scenario where the organization depends on mobile access to financial, identity, or operational systems. Useful leadership questions include: Do we have visibility into managed Android devices? Can we prove which apps, permissions, accessibility-service usage, and network destinations are allowed? Are incident responders prepared to preserve mobile evidence when malware may uninstall itself or hide behavior? For regulated environments, coverage decisions should map to audit evidence for mobile device management, acceptable app sources, permission governance, phishing readiness, and detection of data exfiltration over normal web traffic.

Technical view

ATT&CK lists BRATA for Android and relates it to techniques including obfuscated files, software packing, downloading new code at runtime, keylogging, GUI input capture, security software discovery, system information discovery, location tracking, web-protocol C2, screen capture, input injection through accessibility APIs, local data collection, call control, geofencing, user evasion, disabling or modifying tools, uninstalling the malicious application, system checks, transmitted data manipulation, exfiltration over C2, matching legitimate names or locations, and phishing. SOC and IR teams should validate mobile telemetry around suspicious app installs, excessive permissions, accessibility abuse, runtime code loading, foreground screen or input capture indicators, unusual outbound web traffic, and application self-removal or security-tool interference. Because the official ATT&CK object provides no detection text, detection engineering should be technique-led rather than relying on a single BRATA-specific rule.

Likely telemetry

  • Android application inventory, package names, icons, install source, and install/update timestamps
  • Mobile device management or enterprise mobility management records for app allow/deny status and device posture
  • Android permission grants, especially accessibility, location, phone/call, screen capture/media projection, and storage-related access where available
  • Runtime indicators such as dynamic code loading or downloaded secondary code after installation
  • Network telemetry for mobile devices, especially HTTP/HTTPS destinations, timing, volume, and repeated command-and-control-like patterns

Detection direction

  • Build detections around the related behaviors rather than the malware name alone, especially accessibility abuse, GUI input capture, screen capture, runtime code download, and exfiltration over web protocols.
  • Tune mobile-app risk scoring for applications that mimic legitimate names, icons, or package locations, request high-risk permissions, or change behavior after installation.
  • Correlate phishing reports or suspicious app-install events with subsequent permission grants, location access, outbound web traffic, or security-tool discovery/tampering.
  • Account for evasion blind spots: packing and obfuscation can reduce static-analysis value, runtime code download can bypass pre-publication scanning, geofencing and system checks can suppress behavior in test environments, and self-uninstall can reduce forensic artifacts.
  • Separate benign administrative or accessibility use from suspicious patterns by validating business-approved apps, documented accessibility needs, managed-device baselines, and expected mobile network destinations.

Mitigation priorities

  • Start with mobile governance: restrict app installation sources where feasible, maintain approved app inventories, and enforce MDM/EMM posture controls for Android devices used in business workflows.
  • Harden permissions: review and limit accessibility-service use, location access, call-control permissions, storage access, and screen-capture permissions to documented business needs.
  • Improve phishing resilience for mobile users, including reporting paths for suspicious links, prompts, and app installation requests.
  • Require mobile incident response procedures that preserve evidence quickly, because related behaviors include uninstalling the malicious application and disabling or modifying tools.
  • Use layered mobile security controls that combine app reputation, behavioral analysis, network monitoring, and device posture rather than depending only on static signatures.
Analyst notes and limits

The ATT&CK record identifies BRATA as Android malware, detected in late 2018 and again in late 2021, originating in Brazil and later reported in the UK, Poland, Italy, Spain, and the USA, with believed targeting of financial institutions such as banks. The relationship set is rich and should drive defensive validation: collection, credential/input capture, evasion, C2 over web protocols, exfiltration, and anti-analysis behaviors are all represented. This take intentionally does not assert current activity, specific victims, or guaranteed detection coverage.

Official detection guidance is not provided, tactics are not specified in the supplied object, and the related technique descriptions are behavioral context rather than proof of what any specific local sample or incident will do. Local telemetry, managed-device scope, app inventory, mobile network visibility, and IR evidence are required to determine actual exposure and coverage.

Official MITRE ATT&CK definition

BRATA

BRATA (Brazilian Remote Access Tool, Android), is an evolving Android malware strain, detected in late 2018 and again in late 2021. Originating in Brazil, BRATA was later also found in the UK, Poland, Italy, Spain, and USA, where it is believed to have targeted financial institutions such as banks. There are currently three known variants of BRATA.[1][2][3]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

27 rows
Domain ID Name Relationship / procedure
Mobile T1407 Download New Code at Runtime

BRATA has used an initial dropper to download an additional malicious application, and downloads its configuration file from the C2 server.[2][3]
Mobile T1430 Location Tracking

BRATA can track the device's location.[2]
Mobile T1630.001 Uninstall Malicious Application Sub-technique

BRATA can uninstall itself and remove traces of infection.[1][3]
Mobile T1513 Screen Capture

BRATA can capture and send real-time screen output.[1][3]
Mobile T1461 Lockscreen Bypass

BRATA can request the user unlock the device, or remotely unlock the device.[1]
Mobile T1662 Data Destruction

BRATA can perform a factory reset.[2]
Mobile T1417.001 Keylogging Sub-technique

BRATA can log device keystrokes.[1][2][3]
Mobile T1641.001 Transmitted Data Manipulation Sub-technique

BRATA has injected string contents into the device clipboard.[3]
Mobile T1426 System Information Discovery

BRATA can retrieve Android system and hardware information.[1]
Mobile T1406 Obfuscated Files or Information

BRATA has employed code obfuscation and encryption of configuration files.[2][3]
Mobile T1629.003 Disable or Modify Tools Sub-technique

BRATA can remove installed antivirus applications as well as disable Google Play Protect.[2][3]
Mobile T1627.001 Geofencing Sub-technique

BRATA has performed country and language checks.[3]
Mobile T1418.001 Security Software Discovery Sub-technique

BRATA can search for specifically installed security applications.[2]
Mobile T1633.001 System Checks Sub-technique

BRATA can check to see if it has been installed in a virtual environment.[3]
Mobile T1616 Call Control

BRATA can hide incoming calls by setting ring volume to 0 and showing a blank screen overlay.[3]
Mobile T1646 Exfiltration Over C2 Channel

BRATA has exfiltrated data to the C2 server using HTTP requests.[2]
Mobile T1655.001 Match Legitimate Name or Location Sub-technique

BRATA has masqueraded as legitimate WhatsApp updates and app security scanners.[1][3]
Mobile T1628.002 User Evasion Sub-technique

BRATA can turn off or fake turning off the screen while performing malicious activities.[1]
Mobile T1437.001 Web Protocols Sub-technique

BRATA can use both HTTP and WebSockets to communicate with the C2 server.[2]
Mobile T1516 Input Injection

BRATA can insert a given string of text into a data field. BRATA can abuse the Accessibility Service to interact with other installed applications and inject screen taps to grant permissions.[1][3]
Mobile T1532 Archive Collected Data

BRATA has compressed data with the `zlib` library before exfiltration.[2]
Mobile T1663 Remote Access Software

BRATA can view a device through VNC.[2]
Mobile T1664 Exploitation for Initial Access

BRATA has abused WhatsApp vulnerability CVE-2019-3568 to achieve initial access.[1]
Mobile T1417.002 GUI Input Capture Sub-technique

BRATA can use tailored overlay pages to steal PINs for banking applications.[2]
Mobile T1660 Phishing

BRATA has been distributed using phishing techniques, such as push notifications from compromised websites.[1]
Mobile T1533 Data from Local System

BRATA has collected account information from compromised devices.[1]
Mobile T1406.002 Software Packing Sub-technique

BRATA has utilized commercial software packers.[3]
Relationship explorer

All related ATT&CK context

uses · Technique T1407: Download New Code at Runtime Mobile uses · Technique T1430: Location Tracking Mobile uses · Technique T1630.001: Uninstall Malicious Application Mobile uses · Technique T1513: Screen Capture Mobile uses · Technique T1461: Lockscreen Bypass Mobile uses · Technique T1662: Data Destruction Mobile uses · Technique T1417.001: Keylogging Mobile uses · Technique T1641.001: Transmitted Data Manipulation Mobile uses · Technique T1426: System Information Discovery Mobile uses · Technique T1406: Obfuscated Files or Information Mobile uses · Technique T1629.003: Disable or Modify Tools Mobile uses · Technique T1627.001: Geofencing Mobile uses · Technique T1418.001: Security Software Discovery Mobile uses · Technique T1633.001: System Checks Mobile uses · Technique T1616: Call Control Mobile uses · Technique T1646: Exfiltration Over C2 Channel Mobile uses · Technique T1655.001: Match Legitimate Name or Location Mobile uses · Technique T1628.002: User Evasion Mobile uses · Technique T1437.001: Web Protocols Mobile uses · Technique T1516: Input Injection Mobile uses · Technique T1532: Archive Collected Data Mobile uses · Technique T1663: Remote Access Software Mobile uses · Technique T1664: Exploitation for Initial Access Mobile uses · Technique T1417.002: GUI Input Capture Mobile
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
9ddc47946a4366e0...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 9ddc47946a43…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    securelist_brata_0819

    Securelist. (2019, August 29). Fully equipped Spying Android RAT from Brazil: BRATA. Retrieved December 18, 2023.

    Open source URL
  2. [2]
    cleafy_brata_0122

    Federico Valentini, Francesco Lubatti. (2022, January 24). How BRATA is monitoring your bank account. Retrieved December 18, 2023.

    Open source URL
  3. [3]
    mcafee_brata_0421

    Fernando Ruiz. (2021, April 12). BRATA Keeps Sneaking into Google Play, Now Targeting USA and Spain. Retrieved December 18, 2023.

    Open source URL
  4. [4]
    mitre-attack S1094
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use