Table of Contents
November 24, 2021
|6m
How To Protect Your Android Device From The New BrazKing Android Malware?
BrazKing is a banking Trojan for Android that belongs to the RAT family. According to a report, the New BrazKing Android Malware has been in existence since 2018 November and it is most likely operated by a local threat organization and primarily targets Brazilian mobile banking users. It turns out that the Malware’s creators have been working to make it more agile than before.
This post details our findings regarding the New BrazKing Malware version, its dynamic mechanisms, features that enable cybercriminals to use it in mobile banking fraud, and finally how Android users can prevent its attack. As I write this, we can see that BrazKing is still in development, and we anticipate that there will be more soon.
What Is New In The New BrazKing Android Malware?
The New BrazKing Android Malware, according to the strain, automates a call to the attacker’s server, requesting those matches on the fly. The virus now detects which program is being used on the server-side, and it sends on-screen material to the C2. Credential grabbing is then initiated by the C2 server rather than by a command from the virus.
The added agility here is that the attacker can choose or skip the next action based on the victim’s IP address or if the Malware is being run on an emulator. They can change what is returned. They can change the target list at any time without having to change the Malware.
In addition, the new trojan type has increased screen overlay functionality. On Android smartphones, traditional overlay malware creates a phony screen on top of the original banking apps. BrazKing now works without the SYSTEM ALERT WINDOW permission, which helps BrazKing to be more elusive.
The New BrazKing Android Malware loads the fake screen’s URL from the C2 into a WebView in a window displaying its overlay screen. Users can open links within apps using Android System WebView without having to exit the app. When adding the WebView from within the accessibility service, BrazKing utilizes TYPE ACCESSIBILITY OVERLAY as the window type. The overlay window then appears on the screen, covering the original app and displays such as the ‘Settings’ menu window. While the actual app is covered with a phony overlay, BrazKing may intercept the views in the background, touch buttons, and even enter text in Android text views while presenting the overlay screen to the user.
What Is BrazKing Android Malware Capable Of Doing?
Input injection — allows the fraudster to communicate with the device’s running programs.
Screen dissection — giving the attacker information about what the user sees on their computer screen.
Keylogging – assists attackers in obtaining credentials from a device.
Fake overlay displays — allowing BrazKing to deceive users into sharing credentials while simultaneously preventing them from interacting with the actual app.
The Malware is capable of locking the phone’s screen and displaying a delay screen to the user.
Block users when they try to uninstall it. When the user attempts to remove the Malware, it takes over to prevent it from being deleted. BrazKing is built on knowing when the user opens the uninstall screen.
Block factory settings – When a user tries to reset the smartphone, the New BrazKing Android Malware will tap the ‘Back’ and ‘Home’ buttons quicker than a person could, preventing them from eradicating the infection. Additionally, when users try to engage with antivirus programs, the same strategy is utilized, returning them to the home screen if they run a scan or quarantine malware.
RAT capabilities—BrazKing can modify the target banking application by touching buttons or entering text.
Read SMS without having android permission.
Read contact lists without having the ‘android—permission’ permission.
How Does The New BrazKing Android Malware Infect Victims?
The infection process begins with a social engineering message that links to an HTTPS website that alerts potential victims about security risks with their devices and offers the option to update to the most recent version of the operating system or google services. However, for the attacks to succeed, users must enable a setting to install programs from unknown sources.
The first infection vector is a phishing message with a URL that goes to a website saying the device is about to be stopped owing to a reported lack of security. It needs the user to tap a button on the page to ‘upgrade’ the operating system. The site is secured by HTTPS, making it appear more trustworthy.
The download of BrazKing begins when you tap the button. The package manager installs the software when it is downloaded via the browser. To accomplish this, the user must consent to the installation of programs from unknown sources.
Following the initial download, the virus requests rights from the user under the pretext of a Google requirement.
The Malware begins to run in the background after the user approves the accessibility service request. The Malware’s app icon vanishes from the screen with Android 10 and earlier versions.
New Bot Registration -BrazKing is ready and waiting for directives from the C2 server once it has been registered.
The C2 instructs the Malware to display a message to entice the user to open the banking application.
The C2 instructs the Malware to launch the banking software.
Targets (Victims) Of The BrazKing Android Malware:
The New BrazKing Android Malware is found to be targeting most likely Brazilian users which use Android devices.
How To Protect Your Device From The New BrazKing Android Malware?
The New BrazKing Android Malware is harmful, and Android users should be cautious. If a person cannot uninstall an application, factory reset their smartphone, or install antivirus, and they should detect being infected by the New BrazKing Android Malware. The following are best protection remedies:
Android users must protect themselves from such assaults by avoiding suspicious links.
Blocking the installation of apps from unknown sources.
Download and install antivirus and firewall software.
Only purchase Apps from reputable and known sources.
Don’t open attachments from unknown sources or click on dubious links.
Be wary of pop-up windows that ask you to install the software.
IOCs Of The New BrazKing Android Malware:
| Package name | Application name | APK Hash (SHA256) |
| com.gkoiyz.prof | Google Service | d5bd93943a5433a4da132a8eab5dd14c0b5c320a40b1209812bc2c957fe6d090 |
| br.EMyO.ImBd | GService | 7774d7d0cb3635886f030cb55b51627fd02b25fcaf00c2d1d8d7c5533351f16a |
| br.WsLK.aXzD | GService | a00f8137fa6a89c5de8674a23e39bf2933fd76d8639f8ecef7948158bb61a907 |
| com.netsonicsolutions.gservice | GService | 2683b19c5d0001b22bd7e455d96cb2b92eb4d5d6c9c2b89cc87be6365a75e0f7 |
| com.cuteu.videochat | GService | 9cdffc731d56a20d44923e098423dc9a8a2add3a2a19833daae107a3e2ed2eda |
We hope this post would help you in knowing How To Protect Your Android Device From the New BrazKing Android Malware. Thanks for reading this threat post. Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium & Instagram, and subscribe to receive updates like this.
Arun KL
Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.
- April 18, 2024
Learn Something New with Free Email subscription
Learn Something New with Free Email subscription
Subscribe
Subscribe
Subscribe
Subscribe
- April 18, 2024
