www.thecybersecuritytimes.com
Open in
urlscan Pro
45.113.122.178
Public Scan
URL:
https://www.thecybersecuritytimes.com/brazking-trojan-returns-to-android-and-is-now-immune-to-antivirus/
Submission: On November 22 via api from US — Scanned from DE
Submission: On November 22 via api from US — Scanned from DE
Form analysis 5 forms found in the DOM
POST /brazking-trojan-returns-to-android-and-is-now-immune-to-antivirus/#es_form_f1-n1
<form action="/brazking-trojan-returns-to-android-and-is-now-immune-to-antivirus/#es_form_f1-n1" method="post" class="es_subscription_form es_shortcode_form" id="es_subscription_form_619c072e31220" data-source="ig-es">
<div class="es-field-wrap"><label>Name*<br><input type="text" name="esfpx_name" class="ig_es_form_field_name" placeholder="" value="" required="required"></label></div>
<div class="es-field-wrap"><label>Email*<br><input class="es_required_field es_txt_email ig_es_form_field_email" type="email" name="esfpx_email" value="" placeholder="" required="required"></label></div><input type="hidden" name="esfpx_lists[]"
value="04c29a18bfd7"><input type="hidden" name="esfpx_form_id" value="1"> <input type="hidden" name="es" value="subscribe">
<input type="hidden" name="esfpx_es_form_identifier" value="f1-n1">
<input type="hidden" name="esfpx_es_email_page" value="5873">
<input type="hidden" name="esfpx_es_email_page_url" value="https://www.thecybersecuritytimes.com/brazking-trojan-returns-to-android-and-is-now-immune-to-antivirus/">
<input type="hidden" name="esfpx_status" value="Unconfirmed">
<input type="hidden" name="esfpx_es-subscribe" id="es-subscribe-619c072e31220" value="18a4f4a3f3">
<label style="position:absolute;top:-99999px;left:-99999px;z-index:-99;"><input type="email" name="esfpx_es_hp_email" class="es_required_field" tabindex="-1" autocomplete="-1" value=""></label>
<input type="submit" name="submit" class="es_subscription_form_submit es_submit_button es_textbox_button" id="es_subscription_form_submit_619c072e31220" value="Subscribe">
<span class="es_spinner_image" id="spinner-image"><img class="lazy" src="data:image/svg+xml,%3Csvg%20xmlns='http://www.w3.org/2000/svg'%20viewBox='0%200%201%201'%3E%3C/svg%3E"
data-src="https://www.thecybersecuritytimes.com/wp-content/plugins/email-subscribers/lite/public/images/spinner.gif" alt="Loading"></span>
</form>POST https://www.thecybersecuritytimes.com/wp-comments-post.php
<form action="https://www.thecybersecuritytimes.com/wp-comments-post.php" method="post" id="commentform" class="comment-form">
<p class="comment-notes"><span id="email-notes">Your email address will not be published.</span> Required fields are marked <span class="required">*</span></p>
<p class="comment-form-comment"><label for="comment">Comment</label> <textarea id="comment" name="comment" cols="45" rows="8" maxlength="65525" required="required"></textarea></p>
<p class="comment-form-author"><label for="author">Name <span class="required">*</span></label> <input placeholder="Name*" id="author" name="author" type="text" value="" size="30" maxlength="245" required="required"></p>
<p class="comment-form-email"><label for="email">Email <span class="required">*</span></label> <input type="email" placeholder="Email*" id="email" name="email" value="" size="30" maxlength="100" aria-describedby="email-notes" required="required">
</p>
<p class="comment-form-url"><label for="url">Website</label> <input placeholder="Website" id="url" name="url" type="url" value="" size="30" maxlength="200"></p>
<p class="comment-form-cookies-consent"><input id="wp-comment-cookies-consent" name="wp-comment-cookies-consent" type="checkbox" value="yes"> <label for="wp-comment-cookies-consent">Save my name, email, and website in this browser for the next time
I comment.</label></p>
<p class="form-submit"><input name="submit" type="submit" id="submit" class="submit" value="Post Comment"> <input type="hidden" name="comment_post_ID" value="5873" id="comment_post_ID">
<input type="hidden" name="comment_parent" id="comment_parent" value="0">
</p>
<p style="display: none;"><input type="hidden" id="akismet_comment_nonce" name="akismet_comment_nonce" value="1e6301a772"></p>
<p style="display: none !important;"><label>Δ<textarea name="ak_hp_textarea" cols="45" rows="8" maxlength="100"></textarea></label><input type="hidden" id="ak_js" name="ak_js" value="1637615407477">
<script>
document.getElementById("ak_js").setAttribute("value", (new Date()).getTime());
</script>
</p>
</form>POST /brazking-trojan-returns-to-android-and-is-now-immune-to-antivirus/#es_form_f1-n2
<form action="/brazking-trojan-returns-to-android-and-is-now-immune-to-antivirus/#es_form_f1-n2" method="post" class="es_subscription_form es_shortcode_form" id="es_subscription_form_619c072e3b464" data-source="ig-es">
<div class="es-field-wrap"><label>Name*<br><input type="text" name="esfpx_name" class="ig_es_form_field_name" placeholder="" value="" required="required"></label></div>
<div class="es-field-wrap"><label>Email*<br><input class="es_required_field es_txt_email ig_es_form_field_email" type="email" name="esfpx_email" value="" placeholder="" required="required"></label></div><input type="hidden" name="esfpx_lists[]"
value="04c29a18bfd7"><input type="hidden" name="esfpx_form_id" value="1"> <input type="hidden" name="es" value="subscribe">
<input type="hidden" name="esfpx_es_form_identifier" value="f1-n2">
<input type="hidden" name="esfpx_es_email_page" value="5873">
<input type="hidden" name="esfpx_es_email_page_url" value="https://www.thecybersecuritytimes.com/brazking-trojan-returns-to-android-and-is-now-immune-to-antivirus/">
<input type="hidden" name="esfpx_status" value="Unconfirmed">
<input type="hidden" name="esfpx_es-subscribe" id="es-subscribe-619c072e3b464" value="18a4f4a3f3">
<label style="position:absolute;top:-99999px;left:-99999px;z-index:-99;"><input type="email" name="esfpx_es_hp_email" class="es_required_field" tabindex="-1" autocomplete="-1" value=""></label>
<input type="submit" name="submit" class="es_subscription_form_submit es_submit_button es_textbox_button" id="es_subscription_form_submit_619c072e3b464" value="Subscribe">
<span class="es_spinner_image" id="spinner-image"><img class="lazy" src="data:image/svg+xml,%3Csvg%20xmlns='http://www.w3.org/2000/svg'%20viewBox='0%200%201%201'%3E%3C/svg%3E"
data-src="https://www.thecybersecuritytimes.com/wp-content/plugins/email-subscribers/lite/public/images/spinner.gif" alt="Loading"></span>
</form>POST /brazking-trojan-returns-to-android-and-is-now-immune-to-antivirus/#es_form_f1-n3
<form action="/brazking-trojan-returns-to-android-and-is-now-immune-to-antivirus/#es_form_f1-n3" method="post" class="es_subscription_form es_shortcode_form" id="es_subscription_form_619c072e412ee" data-source="ig-es">
<div class="es-field-wrap"><label>Name*<br><input type="text" name="esfpx_name" class="ig_es_form_field_name" placeholder="" value="" required="required"></label></div>
<div class="es-field-wrap"><label>Email*<br><input class="es_required_field es_txt_email ig_es_form_field_email" type="email" name="esfpx_email" value="" placeholder="" required="required"></label></div><input type="hidden" name="esfpx_lists[]"
value="04c29a18bfd7"><input type="hidden" name="esfpx_form_id" value="1"> <input type="hidden" name="es" value="subscribe">
<input type="hidden" name="esfpx_es_form_identifier" value="f1-n3">
<input type="hidden" name="esfpx_es_email_page" value="5873">
<input type="hidden" name="esfpx_es_email_page_url" value="https://www.thecybersecuritytimes.com/brazking-trojan-returns-to-android-and-is-now-immune-to-antivirus/">
<input type="hidden" name="esfpx_status" value="Unconfirmed">
<input type="hidden" name="esfpx_es-subscribe" id="es-subscribe-619c072e412ee" value="18a4f4a3f3">
<label style="position:absolute;top:-99999px;left:-99999px;z-index:-99;"><input type="email" name="esfpx_es_hp_email" class="es_required_field" tabindex="-1" autocomplete="-1" value=""></label>
<input type="submit" name="submit" class="es_subscription_form_submit es_submit_button es_textbox_button" id="es_subscription_form_submit_619c072e412ee" value="Subscribe">
<span class="es_spinner_image" id="spinner-image"><img class="lazy" src="data:image/svg+xml,%3Csvg%20xmlns='http://www.w3.org/2000/svg'%20viewBox='0%200%201%201'%3E%3C/svg%3E"
data-src="https://www.thecybersecuritytimes.com/wp-content/plugins/email-subscribers/lite/public/images/spinner.gif" alt="Loading"></span>
</form>Name: searchform — GET https://www.thecybersecuritytimes.com//
<form role="search" method="get" name="searchform" id="searchform" action="https://www.thecybersecuritytimes.com//">
<div>
<input type="text" value="" name="s" id="s" autocomplete="off" placeholder="Enter Keyword">
<div class="search_tagline">Press enter/return to begin your search</div>
<button>
<i class="fa fa-search"></i>
</button>
</div>
<div id="autocomplete"></div>
</form>Text Content
* * Home
* What is
* Computer security
* Windows security
* Mac security
* Linux security
* Mobile security
* Android security
* iOS Security
* Data security
* SCCM
* Reviews
* Case studies
* Advertise
* Contact
* Privacy Policy
* SUBSCRIBE NOW
Name*
Email*
* *
*
*
*
* Home
* What is
* Computer security
* Windows security
* Mac security
* Linux security
* Mobile security
* Android security
* iOS Security
* Data security
* SCCM
* Reviews
* Case studies
* Advertise
* Contact
* Privacy Policy
Home » Breaking Computer security Cyber Security data security Device security
Latest Windows security
BRAZKING TROJAN RETURNS TO ANDROID AND IS NOW IMMUNE TO ANTIVIRUS
William Marshal Posted On November 19, 2021
0
--------------------------------------------------------------------------------
The banking Trojan BrazKing has returned with new tricks that would allow it to
exist without the approval of security permissions. IBM Trusteer researchers
have studied a new malware sample which was discovered outside of Google Play
Store and was found being distributed via SMS.
The move is made by warning the targets of outdated Android version and thus
offering the payload as a updated APK file. According to a IBM report, this
malware is seems to be operated by local threat actors as it seems active on
Portuguese speaking websites.
Permission and penetration of BrazKing Trojan
When those SMS are sent, if the user reacts to one and has downloads from
unknown sources turned ON, then the malware is deployed into that device and
will request for Accessibility further. This accessibility permissions will
allow BrazKing Trojan to record screenshots and keystrokes.
Furthermore BrazKing Trojan uses this accessibility service for multiple
purposes,
* If the device is non-rooted then an approval will be required for dissecting
the screen programmatically rather than in picture format. If it is a rooted
device, then the Trojan already has the approval for it.
* Manipulating the banking application for tapping buttons.
* Read SMS, thus an upper hand over OTP authentications.
* Keylogger capabilities
* Stealing contact details by sneaking into android.permission.READ_CONTACTS.
Google’s latest edition Android 11 has enhanced the security of apps by
categorizing all the installed apps as sensitive data, which is why the banking
Trojans need to improve their penetration algorithms as well. Earlier Trojans
used to exploit the ‘getinstalledpackages’ API but since the Google enhancement
they have updated their technology using screen dissection to figure out the
installed apps in those infected devices.
BrazKing Trojan used a similar technology that will overlay a fake screen on top
of the banking applications using the ‘System_Alert_Windows’ option. This will
allow the attacker to load a fake screen using the accessibility service, and
when a banking app is detected, the role of command and control server comes
into play delivering a dynamic overlay to steal the credentials.
The attacker can also manipulate and create new login screens as per the
original banking apps.
BrazKing Trojan could be hard to erase
Unlike other Trojans which can be detected and removed using a Antivirus
solution, BrazKing comes with its own deletion protection that will keep it in
the infected device long term. If the user attempts to remove the malware or use
a Antivirus solution, the Trojan immediately triggers the ‘Back’ or ‘Home’
button. And the Trojan secures its internal materials using the XOR operation
with a hard coded key, and further encapsulates them with Base64.This evolution
in malware only proves that the cyber actors are constantly improving their
attack vectors thus giving them an advantage even if Google continues to tighten
Android’s security posture.
Subscribe to our newsletter for daily alerts on cyber events, you can also
follow us on Facebook, Linkedin, Instagram, Twitter and Reddit.
You can reach out to us via Twitter or Facebook, for any advertising requests.
Share the article with your friends
--------------------------------------------------------------------------------
Android MalwareBrazKing MalwareBrazKing TrojanBrazKing Trojan Android Malware
Author
WILLIAM MARSHAL
William has been one of the key contributors to 'The Cybersecurity Times' with
9.5 years of experience in the cybersecurity journalism. Apart from writing, he
also like hiking, skating and coding.
LEAVE A REPLY
LEAVE A REPLY CANCEL REPLY
Your email address will not be published. Required fields are marked *
Comment
Name *
Email *
Website
Save my name, email, and website in this browser for the next time I comment.
Δ
This site uses Akismet to reduce spam. Learn how your comment data is processed.
* SUBSCRIBE TO OUR NEWSLETTER
Name*
Email*
*
*
* POPULAR POSTS
* 1
US SEC warns investors on Govt Impersonation Attacks
* 2
Teenager arrested for involving in a theft of $36.5 million cryptocurrency
* 3
Indusface Product Review and Analysis for Web Application Firewall
* 4
BrazKing Trojan returns to Android and is now immune to Antivirus
*
*
* ABOUT US
Our vision is to deliver the trending and happening cyber events to the
enthusiasts.
We believe in delivering educational and quality content for hassle-free
understanding of the subject.
* SUBSCRIBE TO OUR NEWSLETTER
Name*
Email*
* FOLLOW US
*
*
*
*
* ADVERTISE WITH US
You can reach us via Facebook, Linkedin, or Twitter for advertising purposes.
*
*
*
© The Cybersecurity Times 2021. All rights reserved.
Press enter/return to begin your search