Saturday, May 25, 2024

Android Malware Brokewell With Complete Device Takeover Capabilities

A new family of mobile malware known as “Brokewell” has been found to have a wide range of device takeover capabilities. 

This seriously threatens the banking sector by giving attackers remote access to all the resources made available via mobile banking.

New instructions introduced virtually every day indicate the Trojan is still under development. 

Experts say Brokewell will most likely be offered as a rental service through underground channels, receiving the attention of other cybercriminals and inspiring new operations targeting different regions.

“These actors require this functionality to commit fraud directly on victims’ devices, creating a significant challenge for fraud detection tools that heavily rely on device identification or device fingerprinting,” ThreatFabric researchers shared with Cyber Security News.

Is Your Network Under Attack? - Read CISO’s Guide to Avoiding the Next Breach - Download Free Guide

Brokewell’s Primary Features

Researchers discovered a fake browser update page intended to install an Android application.

This strategy appears innocent to unwary victims—with a skillfully designed website offering an update for a more recent version of the program—and normal—as it happens during regular browser use.

According to researchers, the downloaded application is a family of malware with unprecedented capabilities. 

Fake page distributing Brokewell

Brokewell is a classic example of contemporary banking malware that can remotely operate itself and steal data.

Overlay attacks, a popular method for Android banking malware, are employed by Brokewell to obtain user credentials by combining a fake screen over a targeted application.

Brokewell can also steal cookies, another characteristic common to modern mobile banking malware.

It accomplishes this by loading the authentic webpage, overriding the onPageFinished method, and starting its own WebView.

After the victim successfully logs in, Brokewell dumps the session cookies and sends them to the command and control (C2) server.

Stealing victim’s credentials

With its “accessibility logging,” Brokewell records all user interactions, including touches, swipes, information displays, text input, and programs opened. 

Any private information typed or seen on the infected device is effectively stolen because every action is recorded and transmitted to the command-and-control server.

After obtaining the credentials, the actors can use remote control capabilities to launch a Device Takeover attack. 

To do this, the malware streams the screen and gives the actor access to various commands that can be used on the device under control, including touches, swipes, and clicks on designated elements.

“These capabilities might be further expanded in the future by automating specific actions to streamline the Device Takeover attack for the actors and potentially create a functional Automated Transfer System (ATS)”, researchers said.

A New Actor In The Field Of Mobile Malware

Brokewell was used to host a repository named “Brokewell Cyber Labs,” created by “Baron Samedit.”

Researchers say source code for “Brokewell Android Loader,” another tool created by the same developer to bypass Android 13+ are limitations on Accessibility Service for side-loaded apps, is available in this repository. 

Threat actor advertises their products, including mobile threats and other offerings

Hence, the only way to properly identify and stop potential fraud from malware families like the recently identified Brokewell is to use a comprehensive, multi-layered fraud detection solution that is based on a combination of indicators, including device behavior and identity threats for each customer.

Combat Email Threats with Easy-to-Launch Phishing Simulations: Email Security Awareness Training -> Try Free Demo 


Latest articles

Hackers Weaponizing Microsoft Access Documents To Execute Malicious Program

In multiple aggressive phishing attempts, the financially motivated organization UAC-0006 heavily targeted Ukraine, utilizing...

Microsoft Warns Of Storm-0539’s Aggressive Gift Card Theft

Gift cards are attractive to hackers since they provide quick monetization for stolen data...

Kinsing Malware Attacking Apache Tomcat Server With Vulnerabilities

The scalability and flexibility of cloud platforms recently boosted the emerging trend of cryptomining...

NSA Releases Guidance On Zero Trust Maturity To Secure Application From Attackers

Zero Trust Maturity measures the extent to which an organization has adopted and implemented...

Chinese Hackers Stay Hidden On Military And Government Networks For Six Years

Hackers target military and government networks for varied reasons, primarily related to spying, which...

DNSBomb : A New DoS Attack That Exploits DNS Queries

A new practical and powerful Denial of service attack has been discovered that exploits...

Malicious PyPI & NPM Packages Attacking MacOS Users

Cybersecurity researchers have identified a series of malicious software packages targeting MacOS users.These...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

Live API Attack Simulation

94% of organizations experience security problems in production APIs, and one in five suffers a data breach. As a result, cyber-attacks on APIs increased from 35% in 2022 to 46% in 2023, and this trend continues to rise.
Key takeaways include:

  • An exploit of OWASP API Top 10 vulnerability
  • A brute force ATO (Account Takeover) attack on API
  • A DDoS attack on an API
  • Positive security model automation to prevent API attacks

Related Articles