New Android Malware “Brokewell” Spreads via Fake Browser Updates
TL;DR: Brokewell, a new Android banking malware, spreads through fake browser updates. It bypasses Google’s restrictions, steals data, and offers remote control. The mastermind behind it also provides a loader, lowering the entry barrier for cybercriminals.
Cybercriminals are using fake browser updates to distribute a previously unknown Android malware called “Brokewell,” according to a recent analysis by Dutch security firm ThreatFabric.
A Modern Banking Trojan
Brokewell is a typical modern banking malware equipped with both data-stealing and remote-control capabilities. The malware is actively being developed, with new commands being added to capture touch events, on-screen textual information, and the applications a victim launches.
Brokewell apps masquerade as popular applications like Google Chrome, ID Austria, and Klarna. The following is a list of the malicious app package names:
- jcwAz.EpLIq.vcAZiUGZpK (Google Chrome)
- zRFxj.ieubP.lWZzwlluca (ID Austria)
- com.brkwl.upstracking (Klarna)
Bypassing Google’s Restrictions
Like other recent Android malware families, Brokewell can bypass restrictions imposed by Google that prevent sideloaded apps from requesting accessibility service permissions. Once installed and launched for the first time, the banking trojan prompts the victim to grant accessibility service permissions, which it then uses to automatically grant other permissions and carry out various malicious activities.
Stealing Credentials and Cookies
Brokewell displays overlay screens on top of targeted apps to steal user credentials. It can also steal cookies by launching a WebView and loading the legitimate website, after which the session cookies are intercepted and sent to an actor-controlled server.
Extensive Malicious Capabilities
The malware boasts an array of malicious features, including:
- Recording audio
- Taking screenshots
- Retrieving call logs
- Accessing device location
- Listing installed apps
- Recording every event happening on the device
- Sending SMS messages
- Making phone calls
- Installing and uninstalling apps
- Disabling the accessibility service
Remote Control Functionality
The threat actors can use Brokewell’s remote control functionality to see what’s displayed on the device’s screen in real-time and interact with the device through clicks, swipes, and touches.
The Mastermind Behind Brokewell
Brokewell is believed to be the work of a developer named “Baron Samedit Marais,” who manages the “Brokewell Cyber Labs” project. The project includes an Android Loader publicly hosted on Gitea, which acts as a dropper to bypass accessibility permissions restrictions in Android versions 13, 14, and 15.
Lowering the Entry Barrier for Cybercriminals
The free availability of the loader could lead to its adoption by other threat actors looking to circumvent Android’s security protections. This lowers the entry barrier for cybercriminals looking to distribute mobile malware on modern devices, making it easier for more actors to enter the field.
Stay vigilant.