www.thecybersecuritytimes.com
Open in
urlscan Pro
45.113.122.178
Public Scan
URL:
https://www.thecybersecuritytimes.com/brazking-trojan-returns-to-android-and-is-now-immune-to-antivirus/
Submission: On November 22 via api from US — Scanned from DE
Submission: On November 22 via api from US — Scanned from DE
Form analysis
5 forms found in the DOMPOST /brazking-trojan-returns-to-android-and-is-now-immune-to-antivirus/#es_form_f1-n1
<form action="/brazking-trojan-returns-to-android-and-is-now-immune-to-antivirus/#es_form_f1-n1" method="post" class="es_subscription_form es_shortcode_form" id="es_subscription_form_619c072e31220" data-source="ig-es">
<div class="es-field-wrap"><label>Name*<br><input type="text" name="esfpx_name" class="ig_es_form_field_name" placeholder="" value="" required="required"></label></div>
<div class="es-field-wrap"><label>Email*<br><input class="es_required_field es_txt_email ig_es_form_field_email" type="email" name="esfpx_email" value="" placeholder="" required="required"></label></div><input type="hidden" name="esfpx_lists[]"
value="04c29a18bfd7"><input type="hidden" name="esfpx_form_id" value="1"> <input type="hidden" name="es" value="subscribe">
<input type="hidden" name="esfpx_es_form_identifier" value="f1-n1">
<input type="hidden" name="esfpx_es_email_page" value="5873">
<input type="hidden" name="esfpx_es_email_page_url" value="https://www.thecybersecuritytimes.com/brazking-trojan-returns-to-android-and-is-now-immune-to-antivirus/">
<input type="hidden" name="esfpx_status" value="Unconfirmed">
<input type="hidden" name="esfpx_es-subscribe" id="es-subscribe-619c072e31220" value="18a4f4a3f3">
<label style="position:absolute;top:-99999px;left:-99999px;z-index:-99;"><input type="email" name="esfpx_es_hp_email" class="es_required_field" tabindex="-1" autocomplete="-1" value=""></label>
<input type="submit" name="submit" class="es_subscription_form_submit es_submit_button es_textbox_button" id="es_subscription_form_submit_619c072e31220" value="Subscribe">
<span class="es_spinner_image" id="spinner-image"><img class="lazy" src="data:image/svg+xml,%3Csvg%20xmlns='http://www.w3.org/2000/svg'%20viewBox='0%200%201%201'%3E%3C/svg%3E"
data-src="https://www.thecybersecuritytimes.com/wp-content/plugins/email-subscribers/lite/public/images/spinner.gif" alt="Loading"></span>
</form>
POST https://www.thecybersecuritytimes.com/wp-comments-post.php
<form action="https://www.thecybersecuritytimes.com/wp-comments-post.php" method="post" id="commentform" class="comment-form">
<p class="comment-notes"><span id="email-notes">Your email address will not be published.</span> Required fields are marked <span class="required">*</span></p>
<p class="comment-form-comment"><label for="comment">Comment</label> <textarea id="comment" name="comment" cols="45" rows="8" maxlength="65525" required="required"></textarea></p>
<p class="comment-form-author"><label for="author">Name <span class="required">*</span></label> <input placeholder="Name*" id="author" name="author" type="text" value="" size="30" maxlength="245" required="required"></p>
<p class="comment-form-email"><label for="email">Email <span class="required">*</span></label> <input type="email" placeholder="Email*" id="email" name="email" value="" size="30" maxlength="100" aria-describedby="email-notes" required="required">
</p>
<p class="comment-form-url"><label for="url">Website</label> <input placeholder="Website" id="url" name="url" type="url" value="" size="30" maxlength="200"></p>
<p class="comment-form-cookies-consent"><input id="wp-comment-cookies-consent" name="wp-comment-cookies-consent" type="checkbox" value="yes"> <label for="wp-comment-cookies-consent">Save my name, email, and website in this browser for the next time
I comment.</label></p>
<p class="form-submit"><input name="submit" type="submit" id="submit" class="submit" value="Post Comment"> <input type="hidden" name="comment_post_ID" value="5873" id="comment_post_ID">
<input type="hidden" name="comment_parent" id="comment_parent" value="0">
</p>
<p style="display: none;"><input type="hidden" id="akismet_comment_nonce" name="akismet_comment_nonce" value="1e6301a772"></p>
<p style="display: none !important;"><label>Δ<textarea name="ak_hp_textarea" cols="45" rows="8" maxlength="100"></textarea></label><input type="hidden" id="ak_js" name="ak_js" value="1637615407477">
<script>
document.getElementById("ak_js").setAttribute("value", (new Date()).getTime());
</script>
</p>
</form>
POST /brazking-trojan-returns-to-android-and-is-now-immune-to-antivirus/#es_form_f1-n2
<form action="/brazking-trojan-returns-to-android-and-is-now-immune-to-antivirus/#es_form_f1-n2" method="post" class="es_subscription_form es_shortcode_form" id="es_subscription_form_619c072e3b464" data-source="ig-es">
<div class="es-field-wrap"><label>Name*<br><input type="text" name="esfpx_name" class="ig_es_form_field_name" placeholder="" value="" required="required"></label></div>
<div class="es-field-wrap"><label>Email*<br><input class="es_required_field es_txt_email ig_es_form_field_email" type="email" name="esfpx_email" value="" placeholder="" required="required"></label></div><input type="hidden" name="esfpx_lists[]"
value="04c29a18bfd7"><input type="hidden" name="esfpx_form_id" value="1"> <input type="hidden" name="es" value="subscribe">
<input type="hidden" name="esfpx_es_form_identifier" value="f1-n2">
<input type="hidden" name="esfpx_es_email_page" value="5873">
<input type="hidden" name="esfpx_es_email_page_url" value="https://www.thecybersecuritytimes.com/brazking-trojan-returns-to-android-and-is-now-immune-to-antivirus/">
<input type="hidden" name="esfpx_status" value="Unconfirmed">
<input type="hidden" name="esfpx_es-subscribe" id="es-subscribe-619c072e3b464" value="18a4f4a3f3">
<label style="position:absolute;top:-99999px;left:-99999px;z-index:-99;"><input type="email" name="esfpx_es_hp_email" class="es_required_field" tabindex="-1" autocomplete="-1" value=""></label>
<input type="submit" name="submit" class="es_subscription_form_submit es_submit_button es_textbox_button" id="es_subscription_form_submit_619c072e3b464" value="Subscribe">
<span class="es_spinner_image" id="spinner-image"><img class="lazy" src="data:image/svg+xml,%3Csvg%20xmlns='http://www.w3.org/2000/svg'%20viewBox='0%200%201%201'%3E%3C/svg%3E"
data-src="https://www.thecybersecuritytimes.com/wp-content/plugins/email-subscribers/lite/public/images/spinner.gif" alt="Loading"></span>
</form>
POST /brazking-trojan-returns-to-android-and-is-now-immune-to-antivirus/#es_form_f1-n3
<form action="/brazking-trojan-returns-to-android-and-is-now-immune-to-antivirus/#es_form_f1-n3" method="post" class="es_subscription_form es_shortcode_form" id="es_subscription_form_619c072e412ee" data-source="ig-es">
<div class="es-field-wrap"><label>Name*<br><input type="text" name="esfpx_name" class="ig_es_form_field_name" placeholder="" value="" required="required"></label></div>
<div class="es-field-wrap"><label>Email*<br><input class="es_required_field es_txt_email ig_es_form_field_email" type="email" name="esfpx_email" value="" placeholder="" required="required"></label></div><input type="hidden" name="esfpx_lists[]"
value="04c29a18bfd7"><input type="hidden" name="esfpx_form_id" value="1"> <input type="hidden" name="es" value="subscribe">
<input type="hidden" name="esfpx_es_form_identifier" value="f1-n3">
<input type="hidden" name="esfpx_es_email_page" value="5873">
<input type="hidden" name="esfpx_es_email_page_url" value="https://www.thecybersecuritytimes.com/brazking-trojan-returns-to-android-and-is-now-immune-to-antivirus/">
<input type="hidden" name="esfpx_status" value="Unconfirmed">
<input type="hidden" name="esfpx_es-subscribe" id="es-subscribe-619c072e412ee" value="18a4f4a3f3">
<label style="position:absolute;top:-99999px;left:-99999px;z-index:-99;"><input type="email" name="esfpx_es_hp_email" class="es_required_field" tabindex="-1" autocomplete="-1" value=""></label>
<input type="submit" name="submit" class="es_subscription_form_submit es_submit_button es_textbox_button" id="es_subscription_form_submit_619c072e412ee" value="Subscribe">
<span class="es_spinner_image" id="spinner-image"><img class="lazy" src="data:image/svg+xml,%3Csvg%20xmlns='http://www.w3.org/2000/svg'%20viewBox='0%200%201%201'%3E%3C/svg%3E"
data-src="https://www.thecybersecuritytimes.com/wp-content/plugins/email-subscribers/lite/public/images/spinner.gif" alt="Loading"></span>
</form>
Name: searchform — GET https://www.thecybersecuritytimes.com//
<form role="search" method="get" name="searchform" id="searchform" action="https://www.thecybersecuritytimes.com//">
<div>
<input type="text" value="" name="s" id="s" autocomplete="off" placeholder="Enter Keyword">
<div class="search_tagline">Press enter/return to begin your search</div>
<button>
<i class="fa fa-search"></i>
</button>
</div>
<div id="autocomplete"></div>
</form>
Text Content
* * Home * What is * Computer security * Windows security * Mac security * Linux security * Mobile security * Android security * iOS Security * Data security * SCCM * Reviews * Case studies * Advertise * Contact * Privacy Policy * SUBSCRIBE NOW Name* Email* * * * * * * Home * What is * Computer security * Windows security * Mac security * Linux security * Mobile security * Android security * iOS Security * Data security * SCCM * Reviews * Case studies * Advertise * Contact * Privacy Policy Home » Breaking Computer security Cyber Security data security Device security Latest Windows security BRAZKING TROJAN RETURNS TO ANDROID AND IS NOW IMMUNE TO ANTIVIRUS William Marshal Posted On November 19, 2021 0 -------------------------------------------------------------------------------- The banking Trojan BrazKing has returned with new tricks that would allow it to exist without the approval of security permissions. IBM Trusteer researchers have studied a new malware sample which was discovered outside of Google Play Store and was found being distributed via SMS. The move is made by warning the targets of outdated Android version and thus offering the payload as a updated APK file. According to a IBM report, this malware is seems to be operated by local threat actors as it seems active on Portuguese speaking websites. Permission and penetration of BrazKing Trojan When those SMS are sent, if the user reacts to one and has downloads from unknown sources turned ON, then the malware is deployed into that device and will request for Accessibility further. This accessibility permissions will allow BrazKing Trojan to record screenshots and keystrokes. Furthermore BrazKing Trojan uses this accessibility service for multiple purposes, * If the device is non-rooted then an approval will be required for dissecting the screen programmatically rather than in picture format. If it is a rooted device, then the Trojan already has the approval for it. * Manipulating the banking application for tapping buttons. * Read SMS, thus an upper hand over OTP authentications. * Keylogger capabilities * Stealing contact details by sneaking into android.permission.READ_CONTACTS. Google’s latest edition Android 11 has enhanced the security of apps by categorizing all the installed apps as sensitive data, which is why the banking Trojans need to improve their penetration algorithms as well. Earlier Trojans used to exploit the ‘getinstalledpackages’ API but since the Google enhancement they have updated their technology using screen dissection to figure out the installed apps in those infected devices. BrazKing Trojan used a similar technology that will overlay a fake screen on top of the banking applications using the ‘System_Alert_Windows’ option. This will allow the attacker to load a fake screen using the accessibility service, and when a banking app is detected, the role of command and control server comes into play delivering a dynamic overlay to steal the credentials. The attacker can also manipulate and create new login screens as per the original banking apps. BrazKing Trojan could be hard to erase Unlike other Trojans which can be detected and removed using a Antivirus solution, BrazKing comes with its own deletion protection that will keep it in the infected device long term. If the user attempts to remove the malware or use a Antivirus solution, the Trojan immediately triggers the ‘Back’ or ‘Home’ button. And the Trojan secures its internal materials using the XOR operation with a hard coded key, and further encapsulates them with Base64.This evolution in malware only proves that the cyber actors are constantly improving their attack vectors thus giving them an advantage even if Google continues to tighten Android’s security posture. Subscribe to our newsletter for daily alerts on cyber events, you can also follow us on Facebook, Linkedin, Instagram, Twitter and Reddit. You can reach out to us via Twitter or Facebook, for any advertising requests. Share the article with your friends -------------------------------------------------------------------------------- Android MalwareBrazKing MalwareBrazKing TrojanBrazKing Trojan Android Malware Author WILLIAM MARSHAL William has been one of the key contributors to 'The Cybersecurity Times' with 9.5 years of experience in the cybersecurity journalism. Apart from writing, he also like hiking, skating and coding. LEAVE A REPLY LEAVE A REPLY CANCEL REPLY Your email address will not be published. Required fields are marked * Comment Name * Email * Website Save my name, email, and website in this browser for the next time I comment. Δ This site uses Akismet to reduce spam. Learn how your comment data is processed. * SUBSCRIBE TO OUR NEWSLETTER Name* Email* * * * POPULAR POSTS * 1 US SEC warns investors on Govt Impersonation Attacks * 2 Teenager arrested for involving in a theft of $36.5 million cryptocurrency * 3 Indusface Product Review and Analysis for Web Application Firewall * 4 BrazKing Trojan returns to Android and is now immune to Antivirus * * * ABOUT US Our vision is to deliver the trending and happening cyber events to the enthusiasts. We believe in delivering educational and quality content for hassle-free understanding of the subject. * SUBSCRIBE TO OUR NEWSLETTER Name* Email* * FOLLOW US * * * * * ADVERTISE WITH US You can reach us via Facebook, Linkedin, or Twitter for advertising purposes. * * * © The Cybersecurity Times 2021. All rights reserved. Press enter/return to begin your search