It was renamed Brokewell the new, previously undocumented Android malware that hides behind fake Chrome browser updates.
This is a typical banking Trojan capable of capturing every action performed on the device, from pressing the screen and the information displayed, to entering text and starting applications by the user. Its particular danger is also given by the fact that it is able to simulate touches on the smartphone display, scrolling of the screens and capture audio via the device’s microphone.
As if that wasn’t enough, the new Brokewell banking Trojan is also capable of gathering hardware and software details about the device, retrieving call logs, determining the physical location of the device, and capturing audio via the device’s microphone.
According to the report published by analysts from the Dutch security company ThreatFabric, its malicious code is still in the development phase, but from initial analyzes it appears to already be equipped with advanced features including those for data theft and those for take full remote control of compromised devices.
To be able to steal sensitive data from the victim, Brokewell is able to bypass the restrictions introduced by Google in Android 13 and later to prevent abuse of the accessibility service for sideloaded applications (APKs).
Data theft and device control capabilities
Brokewell was discovered by ThreatFabric researchers while analyzing a web page promoting a fake Chrome updatea method widely used by criminal hackers to trick unwary users into downloading and installing malware hidden inside seemingly harmless applications.
Delving deeper into past campaigns, researchers revealed that Brokewell had previously been employed to target “buy now, pay later” financial services and to masquerade as an Austrian digital authentication application called ID Austria.
Using overlay attacks, Brokewell is able to imitate the login screens of target applications to steal the login credentials of unsuspecting victims.
Furthermore, by leveraging the integrated WebView engine, the malware is also able to intercept and extract session cookies after a user has visited a legitimate site, then transferring them to a server controlled by the threat actor.
Immediately after installation and first boot, Brokewell asks the victim to grant permissions to the Android Accessibility Service, which it subsequently exploits to automatically grant other permissions and perform various malicious activities.
Regarding device control, Brokewell allows the attacker to view the device screen in real time, perform remote tapping and swiping gestures, remotely click on specific elements or coordinates on the screen, enable remote scrolling within items and type text into specified fields, simulate pressing physical buttons such as Back, Home, and Recent, and activate your device’s screen remotely to make any information available for capture.
How to avoid falling victim to Brokewell
According to what was discovered by ThreatFabric researchers, behind the Brokewell malware there is a criminal hacker who calls himself Baron Samedit, specialized in the sale of malicious tools for controlling stolen accounts.
This detail confirms the availability of dropper operations to a service (Daas) that offer bypass of Android accessibility services represent an increasingly serious and widespread problem.
Security researchers also point out that the capabilities to take control of devices, as is the case with the Brokewell banking trojan, are becoming increasingly sought after among cyber criminals as they allow them to carry out fraud directly from the victim’s device, thus evading any evaluation and detection tools.
In light of this, it cannot be ruled out that Brokewell will be further developed and offered to other cyber criminals in underground web forums as part of a larger malware-as-a-service (MaaS).
Meanwhile, to protect yourself from Android malware infections it is advisable to avoid downloading apps or app updates outside of Google Play and ensure that Play Protect is active on your device at all times.
