Security experts have uncovered a new Android banking trojan called Brokewell, which can record every event on the device, from touches and information shown to text input and programs launched.
The malware is distributed via a fake Google Chrome update that appears while using the web browser. Brokewell is in ongoing development and offers a combination of broad device takeover and remote control capabilities.
Brokewell information
ThreatFabric researchers discovered Brokewell while examining a bogus Chrome update page that released a payload, which is a common approach for deceiving unwary users into installing malware.
Looking back at previous campaigns, the researchers discovered that Brokewell had previously been used to target "buy now, pay later" financial institutions (such as Klarna) while masquerading as an Austrian digital authentication tool named ID Austria.
Brokewell's key capabilities include data theft and remote control for attackers.
Data theft
- Involves mimicking login windows of targeted programs to steal passwords (overlay attacks).
- Uses its own WebView to track and collect cookies once a user logs into a valid website.
- Captures the victim's interactions with the device, such as taps, swipes, and text inputs, to steal data displayed or inputted on it.
- Collects hardware and software information about the device.
- Retrieves call logs.
- determines the device's physical position.
- Captures audio with the device's microphone.
Device Takeover:
- The attacker can see the device's screen in real time (screen streaming).
- Remotely executes touch and swipe gestures on the infected device.
- Allows remote clicking on specific screen components or coordinates.
- Allows for remote scrolling within elements and text entry into specific fields.
- Simulates physical button presses such as Back, Home, and Recents.
- Remotely activates the device's screen, allowing you to capture any information.
- Adjusts brightness and volume to zero.
New threat actor and loader
According to ThreatFabric, the developer of Brokewell is a guy who goes by the name Baron Samedit and has been providing tools for verifying stolen accounts for at least two years.
The researchers identified another tool named "Brokewell Android Loader," which was also developed by Samedit. The tool was housed on one of Brokewell's command and control servers and is utilized by several hackers.
Unexpectedly, this loader can circumvent the restrictions Google imposed in Android 13 and later to prevent misuse of the Accessibility Service for side-loaded programs (APKs).
This bypass has been a problem since mid-2022, and it became even more of a problem in late 2023 when dropper-as-a-service (DaaS) operations began offering it as part of their service, as well as malware incorporating the tactics into their bespoke loaders.
As Brokewell shows, loaders that circumvent constraints to prevent Accessibility Service access to APKs downloaded from suspicious sources are now ubiquitous and widely used in the wild.
Security experts warn that device control capabilities, like as those seen in the Brokewell banker for Android, are in high demand among cybercriminals because they allow them to commit fraud from the victim's device, avoiding fraud evaluation and detection technologies.
They anticipate Brokewell being further improved and distributed to other hackers via underground forums as part of a malware-as-a-service (MaaS) operation.
To avoid Android malware infections, avoid downloading apps or app updates from sources other than Google Play, and make sure Play Protect is always turned on.