Android Malware Brokewell With Complete Device Takeover Capabilities

A new family of mobile malware known as “Brokewell” has been found to have a wide range of device takeover capabilities. 

This seriously threatens the banking sector by giving attackers remote access to all the resources made available via mobile banking.

New instructions introduced virtually every day indicate the Trojan is still under development. 

Experts say Brokewell will most likely be offered as a rental service through underground channels, receiving the attention of other cybercriminals and inspiring new operations targeting different regions.

“These actors require this functionality to commit fraud directly on victims’ devices, creating a significant challenge for fraud detection tools that heavily rely on device identification or device fingerprinting,” ThreatFabric researchers shared with Cyber Security News.

Is Your Network Under Attack? - Read CISO’s Guide to Avoiding the Next Breach - Download Free Guide

Brokewell’s Primary Features

Researchers discovered a fake browser update page intended to install an Android application.

This strategy appears innocent to unwary victims—with a skillfully designed website offering an update for a more recent version of the program—and normal—as it happens during regular browser use.

According to researchers, the downloaded application is a family of malware with unprecedented capabilities. 

Fake page distributing Brokewell

Brokewell is a classic example of contemporary banking malware that can remotely operate itself and steal data.

Overlay attacks, a popular method for Android banking malware, are employed by Brokewell to obtain user credentials by combining a fake screen over a targeted application.

Brokewell can also steal cookies, another characteristic common to modern mobile banking malware.

It accomplishes this by loading the authentic webpage, overriding the onPageFinished method, and starting its own WebView.

After the victim successfully logs in, Brokewell dumps the session cookies and sends them to the command and control (C2) server.

Stealing victim’s credentials

With its “accessibility logging,” Brokewell records all user interactions, including touches, swipes, information displays, text input, and programs opened. 

Any private information typed or seen on the infected device is effectively stolen because every action is recorded and transmitted to the command-and-control server.

After obtaining the credentials, the actors can use remote control capabilities to launch a Device Takeover attack. 

To do this, the malware streams the screen and gives the actor access to various commands that can be used on the device under control, including touches, swipes, and clicks on designated elements.

“These capabilities might be further expanded in the future by automating specific actions to streamline the Device Takeover attack for the actors and potentially create a functional Automated Transfer System (ATS)”, researchers said.

A New Actor In The Field Of Mobile Malware

Brokewell was used to host a repository named “Brokewell Cyber Labs,” created by “Baron Samedit.”

Researchers say source code for “Brokewell Android Loader,” another tool created by the same developer to bypass Android 13+ are limitations on Accessibility Service for side-loaded apps, is available in this repository. 

Threat actor advertises their products, including mobile threats and other offerings

Hence, the only way to properly identify and stop potential fraud from malware families like the recently identified Brokewell is to use a comprehensive, multi-layered fraud detection solution that is based on a combination of indicators, including device behavior and identity threats for each customer.

Combat Email Threats with Easy-to-Launch Phishing Simulations: Email Security Awareness Training -> Try Free Demo 

Gurubaran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

Nearest Neighbor Attacks: Russian APT Hack The Target By Exploiting Nearby Wi-Fi Networks

Recent research has revealed that a Russian advanced persistent threat (APT) group, tracked as "GruesomeLarch"…

1 day ago

240+ Domains Used By PhaaS Platform ONNX Seized by Microsoft

Microsoft's Digital Crimes Unit (DCU) has disrupted a significant phishing-as-a-service (PhaaS) operation run by Egypt-based…

2 days ago

Russian TAG-110 Hacked 60+ Users With HTML Loaded & Python Backdoor

The Russian threat group TAG-110, linked to BlueDelta (APT28), is actively targeting organizations in Central…

2 days ago

Earth Kasha Upgraded Their Arsenal With New Tactics To Attack Organizations

Earth Kasha, a threat actor linked to APT10, has expanded its targeting scope to India,…

2 days ago

Raspberry Robin Employs TOR Network For C2 Servers Communication

Raspberry Robin, a stealthy malware discovered in 2021, leverages advanced obfuscation techniques to evade detection…

2 days ago

145,000 ICS Systems, Thousands of HMIs Exposed to Cyber Attacks

Critical infrastructure, the lifeblood of modern society, is under increasing threat as a new report…

2 days ago