The Latest Malware Brokewell Hacks Android Devices and Steals Data

Researchers have discovered a new banking trojan named Brokewell. The malware disguises itself as fake Chrome updates and is capable of intercepting any events occurring on the device – from keystrokes and on-screen information to entered text and user-launched applications.

Specialists from ThreatFabric stumbled upon Brokewell by finding a fake Chrome update page that hosted a malicious payload. Examining past campaigns, researchers found that Brokewell previously masqueraded as services operating on a “buy now, pay later” scheme, as well as an Austrian digital authentication app called ID Austria.

Brokewell’s main capabilities, still in active development, focus on data theft and granting malicious actors remote control over infected devices. Brokewell possesses typical banker trojan features and provides remote access to attackers.

The trojan can:

  • Use overlays to simulate login pages for target applications (for credential theft);
  • Use its own WebView to intercept and extract cookies after the user logs into a legitimate site;
  • Intercept the victim’s actions, including taps, swipes, and text input to steal confidential data displayed or entered on the device;
  • Gather information about the device’s hardware and software;
  • Extract call logs;
  • Determine the device’s physical location;
  • Capture sound via the device’s microphone;
  • Provide the attacker real-time screen viewing capabilities;
  • Remotely execute various gestures (taps and swipes);
  • Remotely press specified elements or coordinates on the screen;
  • Simulate scrolling and input text into designated fields;
  • Simulate pressing physical buttons like “Back,” “Home,” and “Recent apps”;
  • Remotely activate the device screen to make any information available for capture;
  • Adjust settings such as brightness and volume.

According to ThreatFabric, Brokewell’s developer goes by the alias Baron Samedit and has been selling tools for checking stolen accounts for at least two years.

The investigation also revealed another tool named Brokewell Android Loader, created by the same author and hosted on one of Brokewell’s command servers. Interestingly, this loader can bypass restrictions introduced by Google in Android 13 and later versions to combat abuses of the Accessibility Service by APKs sideloaded outside the Google Play Store.

Experts suggest that Brokewell will likely be further developed and in the near future will be sold to other cybercriminals in the dark web using the malware-as-a-service (MaaS) model.

0 / 5

Your page rank:

Subscribe: YouTube page opens in new windowLinkedin page opens in new windowTelegram page opens in new window

Leave a Reply

Your email address will not be published. Required fields are marked *

Post comment