TL;DR: New Android malware Brokewell can fully control devices and steal data. Delivered through fake Chrome update, it has extensive capabilities. Developed by Baron Samedit, it bypasses Android security restrictions. Expected to become a malware-as-a-service offering. Users should avoid non-Google Play downloads and keep Play Protect active.
Security experts have found a new Android banking trojan called Brokewell. It can capture every event on the device, from touches and information shown to text input and the apps the user opens.
The malware is delivered through a fake Google Chrome update that is displayed while using the web browser. Brokewell is under active development and has a mix of extensive device takeover and remote control abilities.
Brokewell Details
ThreatFabric researchers found Brokewell after looking into a fake Chrome update page that dropped a payload, a common way of tricking users into installing malware.
Looking at past campaigns, the researchers found that Brokewell had been used before to target “buy now, pay later” financial services (e.g. Klarna) and pretending to be an Austrian digital authentication application called ID Austria.
Brokewell’s main capabilities are to steal data and offer remote control to attackers.
Data Stealing:
- Mimics the login screens of targeted applications to steal credentials (overlay attacks).
- Uses its own WebView to intercept and extract cookies after a user logs into a legitimate site.
- Captures the victim’s interaction with the device, including taps, swipes, and text inputs, to steal sensitive data displayed or entered on the device.
- Gathers hardware and software details about the device.
- Retrieves the call logs.
- Determines the physical location of the device.
- Captures audio using the device’s microphone.
Device Takeover:
- Allows the attacker to see the device’s screen in real-time (screen streaming).
- Executes touch and swipe gestures remotely on the infected device.
- Allows remote clicking on specified screen elements or coordinates.
- Enables remote scrolling within elements and typing text into specified fields.
- Simulates physical button presses like Back, Home, and Recents.
- Activates the device’s screen remotely to make any info available for capture.
- Adjusts settings like brightness and volume all the way down to zero.
New Threat Actor and Loader
ThreatFabric reports that the developer behind Brokewell is an individual calling themselves Baron Samedit, who for at least two years had been selling tools for checking stolen accounts.
The researchers discovered another tool called “Brokewell Android Loader,” also developed by Samedit. The tool was hosted on one of the servers acting as a command and control server for Brokewell and it is used by multiple cybercriminals.
Interestingly, this loader can bypass the restrictions Google introduced in Android 13 and later to prevent abuse of Accessibility Service for side-loaded apps (APKs).
This bypass has been an issue since mid-2022 and became a bigger problem in late 2023 with the availability of dropper-as-a-service (DaaS) operations offering it as part of their service, as well as malware incorporating the techniques into their custom loaders.
As highlighted by Brokewell, loaders that bypass restrictions to prevent granting Accessibility Service access to APKs downloaded from shady sources have now become common and widely deployed in the wild.
Security researchers warn that device takeover capabilities such as those available in the Brokewell Banker for Android are in high demand among cybercriminals because they allow them to perform fraud from the victim’s device, thus evading fraud evaluation and detection tools.
They expect Brokewell to be further developed and offered to other cybercriminals on underground forums as part of a malware-as-a-service (MaaS) operation.
To protect yourself from Android malware infections, avoid downloading apps or app updates from outside Google Play and ensure that Play Protect is active on your device at all times.
Be careful.
Stay safe.
Add comment