New Brokewell malware takes over Android devices, steals data

Summary: The content discusses a new Android banking trojan called Brokewell that can capture user data and take control of infected devices, highlighting its capabilities and the threat actor behind it.

Threat Actor: Baron Samedit | Baron Samedit
Victim: Android users | Android users

Key Point :

  • Brokewell is an Android banking trojan that steals data and offers remote control capabilities to attackers.
  • The threat actor behind Brokewell is Baron Samedit, who has been selling tools for checking stolen accounts and developed the Brokewell Android Loader.
  • The malware is delivered through a fake Google Chrome update and targets “buy now, pay later” financial services.
  • Brokewell can mimic login screens, intercept and extract cookies, capture user interactions, gather device details, retrieve call logs, determine device location, and capture audio.
  • It also allows attackers to see the device’s screen in real-time, execute touch and swipe gestures remotely, simulate physical button presses, and adjust device settings.
  • The Brokewell Android Loader bypasses Google’s restrictions to prevent granting Accessibility Service access to side-loaded apps.
  • Loaders that bypass these restrictions have become common and widely deployed in the wild.
  • Device takeover capabilities like those in Brokewell are in high demand among cybercriminals as they evade fraud evaluation and detection tools.
  • Researchers expect Brokewell to be further developed and offered to other cybercriminals as part of a malware-as-a-service operation.
  • To protect against Android malware, users should avoid downloading apps from outside Google Play and ensure Play Protect is active on their devices.

New Brokewell malware takes over Android devices, steals data

Security researchers have discovered a new Android banking trojan they named Brokewell that can capture every event on the device, from touches and information displayed to text input and the applications the user launches.

The malware is delivered through a fake Google Chrome update that is shown while using the web browser. Brokewell is under active development and features a mix of extensive device takeover and remote control capabilities.

Brokewell details

Researchers at fraud risk company ThreatFabric found Brokewell after investigating a fake Chrome update page that dropped a payload, a common method for tricking unsuspecting users into installing malware.

Legitimate (left) and fake (right) Chrome update pages
Legitimate (left) and fake (right) Chrome update pages
ThreatFabric

Looking at past campaigns, the researchers found that Brokewell had been used before to target “buy now, pay later” financial services (e.g. Klarna) and masquarading as an Austrian digital authentication application called ID Austria.

APKs used for distributing Brokewell
APKs used for distributing Brokewell
ThreatFabric

Brokewell’s main capabilities are to steal data and offer remote control to attackers.

Data stealing: 

  • Mimics the login screens of targeted applications to steal credentials (overlay attacks).
  • Uses its own WebView to intercept and extract cookies after a user logs into a legitimate site.
  • Captures the victim’s interaction with the device, including taps, swipes, and text inputs, to steal sensitive data displayed or entered on the device.
  • Gathers hardware and software details about the device.
  • Retrieves the call logs.
  • Determines the physical location of the device.
  • Captures audio using the device’s microphone.
Stealing the victim's credentials
Stealing the victim’s credentials
ThreatFabric

Device takeover: 

  • Allows the attacker to see the device’s screen in real-time (screen streaming).
  • Executes touch and swipe gestures remotely on the infected device.
  • Allows remote clicking on specified screen elements or coordinates.
  • Enables remote scrolling within elements and typing text into specified fields.
  • Simulates physical button presses like Back, Home, and Recents.
  • Activates the device’s screen remotely to make any info available for capture.
  • Adjusts settings like brightness and volume all the way down to zero.

New threat actor and loader

ThreatFabric reports that the developer behind Brokewell is an individual calling themselves Baron Samedit, who for at least two years had been selling tools for checking stolen accounts.

Tools sold on the threat actor's website
Tools sold on the threat actor’s website
ThreatFabric

The researchers discovered another tool called “Brokewell Android Loader,” also developed by Samedit. The tool was hosted on one of the servers acting as command and control server for Brokewell and it is used by multiple cybercriminals.

Interestingly, this loader can bypass the restrictions Google introduced in Android 13 and later to prevent abuse of Accessibility Service for side-loaded apps (APKs).

This bypass has been an issue since mid-2022 and became a bigger problem in late 2023 with the availability of dropper-as-a-service (DaaS) operations offering it as part of their service, as well as malware incorporating the techniques into their custom loaders.

As highlighted with Brokewell, loaders that bypass restrictions to prevent granting Accessibility Service access to APKs downloaded from shady sources have now become common and widely deployed in the wild.

Security researchers warn that device takeover capabilities such as those avaialble in the Brokewell banker for Android are in high demand among cybercriminals because it allows them to perform the fraud from the victim’s device, thus evading fraud evaluation and detection tools.

They expect Brokewell to be further developed and offered to other cybercriminals on underground forums as part of a malware-as-a-service (MaaS) operation.

To protect yourself from Android malware infections, avoid downloading apps or app updates from outside Google Play and ensure that Play Protect is active on your device at all times.

Source: https://www.bleepingcomputer.com/news/security/new-brokewell-malware-takes-over-android-devices-steals-data/


“An interesting youtube video that may be related to the article above”