April 25, 2024 at 10:05AM
New Android banking trojan “Brokewell” discovered by security researchers, capable of capturing all device activity through a fake Google Chrome update. Used in previous campaigns targeting financial services, it aims to steal data and provide remote control to attackers. Developed by an individual called Baron Samedit, with a loader bypassing Android 13 restrictions. Security experts warn of its potential growth and advise against downloading apps from unofficial sources.
From the provided meeting notes, the key takeaways are:
1. A new Android banking trojan called Brokewell has been discovered by security researchers. It can capture every event on the device, from touches and information displayed to text input and the applications the user launches.
2. Brokewell is delivered through a fake Google Chrome update that is displayed while using the web browser. It is currently under active development and features extensive device takeover and remote control capabilities.
3. Brokewell has been used in past campaigns to target “buy now, pay later” financial services and has masqueraded as the Austrian digital authentication application called ID Austria.
4. Brokewell’s main capabilities include data stealing and device takeover. It can steal data by mimicking login screens of targeted applications, capturing interactions with the device, and gathering hardware and software details. It can also take over the device by allowing the attacker to see the device’s screen in real-time, execute touch and swipe gestures remotely, and adjust device settings remotely.
5. The developer behind Brokewell is an individual calling themselves Baron Samedit, who has been selling tools for checking stolen accounts for at least two years. Another tool developed by Samedit called “Brokewell Android Loader” can bypass restrictions introduced by Google in Android 13 and later to prevent abuse of Accessibility Service for side-loaded apps.
6. Loaders that bypass restrictions to prevent granting Accessibility Service access to APKs downloaded from shady sources have become common and widely deployed in the wild, posing a significant threat.
7. Security researchers warn that device takeover capabilities such as those available in Brokewell are in high demand among cybercriminals and expect it to be further developed and offered to other cybercriminals on underground forums as part of a malware-as-a-service operation.
8. To protect against Android malware infections, it is advised to avoid downloading apps or app updates from outside Google Play and ensure that Play Protect is active on the device at all times.