A newly identified Android trojan can steal user information and provide attackers with the ability to take control of infected devices, threat detection company ThreatFabric reports.
Dubbed Brokewell, the trojan includes all the capabilities of mobile banking malware, while also providing attackers with remote access to devices.
Brokewell is being distributed via fake application updates, such as newer Chrome browser iterations and updates for an Austrian digital authentication application.
To harvest the victim’s credentials, the malware overlays fake windows over the targeted mobile applications. Furthermore, it can steal browser cookies by launching its own WebView, loading the legitimate site, and dumping session cookies after the user completes the login process.
Additionally, ThreatFabric discovered that Brokewell has an accessibility logging capability, which allows it to capture device events such as touches, swipes, text input, opened applications, and information being displayed on the screen.
The malware harvests all this information and sends it to a command-and-control (C&C) server, giving the threat actors a trove of stolen data.
“It’s important to highlight that, in this case, any application is at risk of data compromise: Brokewell logs every event, posing a threat to all applications installed on the device,” ThreatFabric points out.
The malware also packs spyware capabilities, collecting information about the device and stealing data such as call history and geolocation, along with the ability to record audio.
Brokewell can also perform screen streaming, and supports various commands that allow the attackers to take full control over the infected device and perform various actions on the screen, including touches, swipes, clicks, scrolls, text input, and more.
ThreatFabric discovered that one of the malware’s C&C servers was also used to host a repository called Brokewell Cyber Labs, which contained the source code for a ‘Brokewell Android Loader’ and that both were developed by a threat actor called Baron Samedit.
The loader is capable of bypassing existing Android 13 and newer restrictions on using Accessibility Service for application sideloading, potentially allowing multiple actors to include the capability in their malware.
Baron Samedit has been active for at least two years, providing cybercriminals with tools to check stolen accounts from multiple services.
“We anticipate further evolution of this malware family, as we’ve already observed almost daily updates to the malware. Brokewell will likely be promoted on underground channels as a rental service, attracting the interest of other cybercriminals and sparking new campaigns targeting different regions,” ThreatFabric concludes.
“Android users are automatically protected against known versions of this malware by Google Play Protect, which is on by default on Android devices with Google Play Services. Google Play Protect can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Play.
