Brokewell Mobile Malware
Cybercriminals are exploiting fraudulent browser updates to distribute a newly identified Android malware named Brokewell. This malware represents a potent example of contemporary banking malware, possessing functionalities designed for both data theft and remote control of breached devices. Researchers are warning that Brokewell is undergoing active development, with ongoing updates that introduce new commands expanding its malicious capabilities, such as enabling the capture of touch events, on-screen text, and details about the applications launched by victims.
Table of Contents
The Brokewell Mobile Malware Masquerades as Legitimate Applications
Brokewell disguises itself as legitimate applications, such as Google Chrome, ID Austria and Klarna, using the following package names:
jcwAz.EpLIq.vcAZiUGZpK (Google Chrome)
zRFxj.ieubP.lWZzwlluca (ID Austria)
com.brkwl.upstracking (Klarna)
Similar to other recent Android malware, Brokewell is adept at bypassing Google's restrictions that prohibit sideloaded applications from requesting accessibility service permissions.
Upon installation and first launch, the banking trojan prompts the victim to grant accessibility service permissions. Once obtained, these permissions are used to grant additional permissions and execute various malicious activities automatically.
Brokewell's capabilities include displaying overlay screens on top of targeted applications to harvest user credentials. Additionally, it can extract cookies by launching a WebView to load legitimate websites, intercepting and sending session cookies to a server controlled by ill-minded actors.
The Brokewell Banking Trojan Can Perform Numerous Harmful Actions
Additional functionalities of Brokewell encompass recording audio, capturing screenshots, accessing call logs, retrieving device location, listing installed apps, logging all device events, sending SMS messages, initiating phone calls, installing and uninstalling apps and even disabling the accessibility service.
Moreover, threat actors can exploit the malware's remote control capabilities to view real-time screen content and interact with the device by simulating clicks, swipes and touches.
A New Threat Actor May Be Responsible for the Brokewell Mobile Malware
The individual believed to be the developer of Brokewell goes by the alias Baron Samedit. Researchers note that the threat actor has been known for at least two years for selling tools designed to verify stolen accounts. The experts have also uncovered another tool attributed to Samedit called 'Brokewell Android Loader,' hosted on a Command-and-Control (C2) server used by Brokewell and accessed by multiple cybercriminals.
Notably, this loader is capable of circumventing Google's restrictions implemented in Android 13 and later versions to prevent misuse of Accessibility Service by sideloaded apps (APKs).
This bypass has been an ongoing concern since mid-2022 and escalated significantly in late 2023 with the emergence of dropper-as-a-service (DaaS) operations offering it as part of their service, alongside malware incorporating these techniques into their customized loaders.
As exemplified by Brokewell, loaders that evade restrictions preventing Accessibility Service access for APKs sourced from unreliable channels have now become prevalent and widely distributed in the cyber threat landscape.
Cybercriminals Are Utilizing Malware Tools with Takeover Capabilities
Security experts caution that the device takeover functionalities seen in the Brokewell banking malware for Android are highly sought after by cybercriminals. These capabilities enable fraud to be carried out directly from the victim's device, helping perpetrators evade fraud detection and assessment tools.
It is anticipated that Brokewell will undergo further development and potentially be distributed to other cybercriminals through underground forums as part of a malware-as-a-service (MaaS) offering.
To safeguard against Android malware infections, refrain from downloading applications or updates from sources outside of Google Play. Ensure that Google Play Protect is activated on your device at all times to enhance device security.
