Security researchers have recently identified a new Android banking trojan named Brokewell, capable of capturing a wide range of user activities on infected devices. The malware exploits user interactions by mimicking legitimate login screens to steal credentials and using its own WebView to intercept cookies, alongside capturing taps, swipes, and text inputs. This allows Brokewell to collect extensive data from the device, including call logs, physical location, and even audio through the device’s microphone. The trojan is delivered to users through a deceptive notification for a Google Chrome update while browsing, making it a potent threat given Chrome‘s widespread usage.
Brokewell’s capabilities extend beyond mere data theft to comprehensive device control. Attackers can remotely view the device’s screen, execute touch and swipe gestures, click on specific screen elements, and manipulate device settings such as brightness and volume. These features enable attackers to take over the device without physical access, facilitating fraud and other malicious activities directly from the victim’s device. This level of access effectively bypasses traditional security measures aimed at detecting fraudulent transactions.
The development and distribution of Brokewell are credited to a threat actor known by the alias Baron Samedit. Samedit has been active for at least two years, developing tools like the “Brokewell Android Loader,” which is used by multiple cybercriminals. This loader is particularly notorious for bypassing restrictions introduced in Android 13 that are meant to curb the abuse of Accessibility Services by side-loaded apps (APKs), highlighting a significant vulnerability in Android’s security framework.
As Brokewell continues to evolve, security experts anticipate its further refinement and distribution in the cybercrime community as part of a malware-as-a-service (MaaS) operation. This points to a growing trend of sophisticated malware tools being offered on underground forums, allowing a wider range of cybercriminals to engage in fraud and data theft. Users are advised to protect themselves from such threats by only downloading apps or updates from reputable sources like the Google Play Store and ensuring that Google Play Protect is enabled on their devices at all times.
