The threat detection company, ThreatFabric, recently uncovered this malware which combines the functionalities of traditional mobile banking trojans with advanced remote access capabilities.
Distribution and Attack Mechanics
Brokewell is primarily distributed through fake application updates, mimicking popular apps like Chrome browser and an Austrian digital authentication tool. Once installed, it deploys fake windows to capture user credentials from targeted applications. Additionally, it can hijack browser sessions by dumping session cookies after a user logs in through its own WebView interface.
Extensive Data Harvesting
The malware leverages accessibility logging features to record a wide range of device interactions, including touch inputs, swipes, and text entries. This allows it to capture details from virtually any application running on the device, sending gathered data back to its command-and-control (C&C) server.
Spyware Features and Remote Control
Apart from stealing login data, Brokewell also spies on users by collecting information such as call history and geolocation, and it can even record audio. With capabilities to stream the device screen in real-time, the malware supports various commands, enabling attackers to interact directly with the compromised device.
Underlying Infrastructure and Development
Investigations revealed that one of Brokewell’s C&C servers hosted a repository known as Brokewell Cyber Labs, containing tools like the ‘Brokewell Android Loader’. Developed by a known threat actor, Baron Samedit, this loader circumvents security restrictions in Android 13 and above, facilitating the sideloading of malicious applications.
Future Implications and Protection Measures
ThreatFabric warns of the potential evolution of Brokewell, noting its promotion in underground circles as a rental service, which could lead to wider distribution and more targeted attacks globally. Despite this growing threat, Android users are safeguarded against known versions of this malware by Google Play Protect, which actively blocks or warns against malicious apps, ensuring a layer of security for users across the platform.