BrazKing Trojan returns to Android and is now immune to Antivirus

The banking Trojan BrazKing has returned with new tricks that would allow it to exist without the approval of security permissions. IBM Trusteer researchers have studied a new malware sample which was discovered outside of Google Play Store and was found being distributed via SMS.

The move is made by warning the targets of outdated Android version and thus offering the payload as a updated APK file. According to a IBM report, this malware is seems to be operated by local threat actors as it seems active on Portuguese speaking websites.

Permission and penetration of BrazKing Trojan

When those SMS are sent, if the user reacts to one and has downloads from unknown sources turned ON, then the malware is deployed into that device and will request for Accessibility further. This accessibility permissions will allow BrazKing Trojan to record screenshots and keystrokes.

Furthermore BrazKing Trojan uses this accessibility service for multiple purposes,

• If the device is non-rooted then an approval will be required for dissecting the screen programmatically rather than in picture format. If it is a rooted device, then the Trojan already has the approval for it.
• Manipulating the banking application for tapping buttons.
• Read SMS, thus an upper hand over OTP authentications.
• Keylogger capabilities
• Stealing contact details by sneaking into android.permission.READ_CONTACTS.

Google’s latest edition Android 11 has enhanced the security of apps by categorizing all the installed apps as sensitive data, which is why the banking Trojans need to improve their penetration algorithms as well. Earlier Trojans used to exploit the ‘getinstalledpackages’ API but since the Google enhancement they have updated their technology using screen dissection to figure out the installed apps in those infected devices.

BrazKing Trojan used a similar technology that will overlay a fake screen on top of the banking applications using the ‘System_Alert_Windows’ option. This will allow the attacker to load a fake screen using the accessibility service, and when a banking app is detected, the role of command and control server comes into play delivering a dynamic overlay to steal the credentials.

The attacker can also manipulate and create new login screens as per the original banking apps.

BrazKing Trojan could be hard to erase

Unlike other Trojans which can be detected and removed using a Antivirus solution, BrazKing comes with its own deletion protection that will keep it in the infected device long term. If the user attempts to remove the malware or use a Antivirus solution, the Trojan immediately triggers the ‘Back’ or ‘Home’ button. And the Trojan secures its internal materials using the XOR operation with a hard coded key, and further encapsulates them with Base64.This evolution in malware only proves that the cyber actors are constantly improving their attack vectors thus giving them an advantage even if Google continues to tighten Android’s security posture.

Subscribe to our newsletter for daily alerts on cyber events, you can also follow us on Facebook, Linkedin, Instagram, Twitter and Reddit.

You can reach out to us via Twitter or Facebook, for any advertising requests.