Saturday, October 5, 2024
HomeAndroidAndroid Malware Brokewell With Complete Device Takeover Capabilities

Android Malware Brokewell With Complete Device Takeover Capabilities

Published on

A new family of mobile malware known as “Brokewell” has been found to have a wide range of device takeover capabilities. 

This seriously threatens the banking sector by giving attackers remote access to all the resources made available via mobile banking.

New instructions introduced virtually every day indicate the Trojan is still under development. 

- Advertisement - EHA

Experts say Brokewell will most likely be offered as a rental service through underground channels, receiving the attention of other cybercriminals and inspiring new operations targeting different regions.

“These actors require this functionality to commit fraud directly on victims’ devices, creating a significant challenge for fraud detection tools that heavily rely on device identification or device fingerprinting,” ThreatFabric researchers shared with Cyber Security News.

Is Your Network Under Attack? - Read CISO’s Guide to Avoiding the Next Breach - Download Free Guide

Brokewell’s Primary Features

Researchers discovered a fake browser update page intended to install an Android application.

This strategy appears innocent to unwary victims—with a skillfully designed website offering an update for a more recent version of the program—and normal—as it happens during regular browser use.

According to researchers, the downloaded application is a family of malware with unprecedented capabilities. 

Fake page distributing Brokewell

Brokewell is a classic example of contemporary banking malware that can remotely operate itself and steal data.

Overlay attacks, a popular method for Android banking malware, are employed by Brokewell to obtain user credentials by combining a fake screen over a targeted application.

Brokewell can also steal cookies, another characteristic common to modern mobile banking malware.

It accomplishes this by loading the authentic webpage, overriding the onPageFinished method, and starting its own WebView.

After the victim successfully logs in, Brokewell dumps the session cookies and sends them to the command and control (C2) server.

Stealing victim’s credentials

With its “accessibility logging,” Brokewell records all user interactions, including touches, swipes, information displays, text input, and programs opened. 

Any private information typed or seen on the infected device is effectively stolen because every action is recorded and transmitted to the command-and-control server.

After obtaining the credentials, the actors can use remote control capabilities to launch a Device Takeover attack. 

To do this, the malware streams the screen and gives the actor access to various commands that can be used on the device under control, including touches, swipes, and clicks on designated elements.

“These capabilities might be further expanded in the future by automating specific actions to streamline the Device Takeover attack for the actors and potentially create a functional Automated Transfer System (ATS)”, researchers said.

A New Actor In The Field Of Mobile Malware

Brokewell was used to host a repository named “Brokewell Cyber Labs,” created by “Baron Samedit.”

Researchers say source code for “Brokewell Android Loader,” another tool created by the same developer to bypass Android 13+ are limitations on Accessibility Service for side-loaded apps, is available in this repository. 

Threat actor advertises their products, including mobile threats and other offerings

Hence, the only way to properly identify and stop potential fraud from malware families like the recently identified Brokewell is to use a comprehensive, multi-layered fraud detection solution that is based on a combination of indicators, including device behavior and identity threats for each customer.

Combat Email Threats with Easy-to-Launch Phishing Simulations: Email Security Awareness Training -> Try Free Demo 

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Prince Ransomware Hits UK and US via Royal Mail Phishing Scam

A new ransomware campaign targeting individuals and organizations in the UK and the US...

Microsoft, DOJ Dismantle Domains Used by Russian FSB-Linked Hacking Group

Microsoft and the U.S. Department of Justice (DOJ) have successfully dismantled a network of...

Cloud Penetration Testing Checklist – 2024

Cloud Penetration Testing is a method of actively checking and examining the Cloud system...

Linux Malware perfctl Attacking Millions of Linux Servers

Researchers have uncovered a sophisticated Linux malware, dubbed "perfctl," actively targeting millions of Linux...

Free Webinar

Decoding Compliance | What CISOs Need to Know

Non-compliance can result in substantial financial penalties, with average fines reaching up to $4.5 million for GDPR breaches alone.

Join us for an insightful panel discussion with Chandan Pani, CISO - LTIMindtree and Ashish Tandon, Founder & CEO – Indusface, as we explore the multifaceted role of compliance in securing modern enterprises.

Discussion points

The Role of Compliance
The Alphabet Soup of Compliance
Compliance
SaaS and Compliance
Indusface's Approach to Compliance

More like this

DCRAt Attacking Users Via HTML Smuggling To Steal Login Credentials

In a new campaign that is aimed at users who speak Russian, the modular...

LummaC2 Stealer Leverages Customized Control Flow Indirection For Execution

The LummaC2 obfuscator employs a novel control flow protection scheme designed specifically for its...

Hackers Attacking AI Agents To Hijacking Customer Sessions

Conversational AI platforms, powered by chatbots, are witnessing a surge in malicious attacks, which...