Android Malware Brokewell With Complete Device Takeover Capabilities

A new family of mobile malware known as “Brokewell” has been found to have a wide range of device takeover capabilities. 

This seriously threatens the banking sector by giving attackers remote access to all the resources made available via mobile banking.

New instructions introduced virtually every day indicate the Trojan is still under development. 

Experts say Brokewell will most likely be offered as a rental service through underground channels, receiving the attention of other cybercriminals and inspiring new operations targeting different regions.

“These actors require this functionality to commit fraud directly on victims’ devices, creating a significant challenge for fraud detection tools that heavily rely on device identification or device fingerprinting,” ThreatFabric researchers shared with Cyber Security News.

Is Your Network Under Attack? - Read CISO’s Guide to Avoiding the Next Breach - Download Free Guide

Brokewell’s Primary Features

Researchers discovered a fake browser update page intended to install an Android application.

This strategy appears innocent to unwary victims—with a skillfully designed website offering an update for a more recent version of the program—and normal—as it happens during regular browser use.

According to researchers, the downloaded application is a family of malware with unprecedented capabilities. 

Brokewell is a classic example of contemporary banking malware that can remotely operate itself and steal data.

Overlay attacks, a popular method for Android banking malware, are employed by Brokewell to obtain user credentials by combining a fake screen over a targeted application.

Brokewell can also steal cookies, another characteristic common to modern mobile banking malware.

It accomplishes this by loading the authentic webpage, overriding the onPageFinished method, and starting its own WebView.

After the victim successfully logs in, Brokewell dumps the session cookies and sends them to the command and control (C2) server.

With its “accessibility logging,” Brokewell records all user interactions, including touches, swipes, information displays, text input, and programs opened. 

Any private information typed or seen on the infected device is effectively stolen because every action is recorded and transmitted to the command-and-control server.

After obtaining the credentials, the actors can use remote control capabilities to launch a Device Takeover attack. 

To do this, the malware streams the screen and gives the actor access to various commands that can be used on the device under control, including touches, swipes, and clicks on designated elements.

“These capabilities might be further expanded in the future by automating specific actions to streamline the Device Takeover attack for the actors and potentially create a functional Automated Transfer System (ATS)”, researchers said.

A New Actor In The Field Of Mobile Malware

Brokewell was used to host a repository named “Brokewell Cyber Labs,” created by “Baron Samedit.”

Researchers say source code for “Brokewell Android Loader,” another tool created by the same developer to bypass Android 13+ are limitations on Accessibility Service for side-loaded apps, is available in this repository. 

Hence, the only way to properly identify and stop potential fraud from malware families like the recently identified Brokewell is to use a comprehensive, multi-layered fraud detection solution that is based on a combination of indicators, including device behavior and identity threats for each customer.

Combat Email Threats with Easy-to-Launch Phishing Simulations: Email Security Awareness Training -> Try Free Demo