Android Malware

Fake browser updates are being used to push a previously undocumented Android malware called Brokewell.

"Brokewell is a typical modern banking malware equipped with both data-stealing and remote-control capabilities built into the malware," Dutch security firm ThreatFabric said in an analysis published Thursday.

The malware is said to be in active development, adding new commands to capture touch events, textual information displayed on screen, and the applications a victim launches.

The list of Brokewell apps that masquerade as Google Chrome, ID Austria, and Klarna is as follows -

  • jcwAz.EpLIq.vcAZiUGZpK (Google Chrome)
  • zRFxj.ieubP.lWZzwlluca (ID Austria)
  • com.brkwl.upstracking (Klarna)

Like other recent Android malware families of its kind, Brokewell is capable of getting around restrictions imposed by Google that prevent sideloaded apps from requesting accessibility service permissions.

Cybersecurity

The banking trojan, once installed and launched for the first time, prompts the victim to grant permissions to the accessibility service, which it subsequently uses to automatically grant other permissions and carry out various malicious activities.

This includes displaying overlay screens on top of targeted apps to pilfer user credentials. It can also steal cookies by launching a WebView and loading the legitimate website, after which the session cookies are intercepted and transmitted to an actor-controlled server.

Android Malware

Some of the other features of Brokewell include the ability to record audio, take screenshots, retrieve call logs, access device location, list installed apps, record every every event happening on the device, send SMS messages, do phone calls, install and uninstall apps, and even disable the accessibility service.

The threat actors can also leverage the malware's remote control functionality to see what's displayed on screen in real-time, as well as interact with the device through clicks, swipes, and touches.

Brokewell is said to be the work of a developer who goes by the name "Baron Samedit Marais" and manages the "Brokewell Cyber Labs" project, which also includes an Android Loader publicly hosted on Gitea.

The loader is designed to act as a dropper that bypasses accessibility permissions restrictions in Android versions 13, 14, and 15 using a technique previously adopted by dropper-as-a-service (DaaS) offerings like SecuriDropper and deploy the trojan implant.

By default, the loader apps generated through this process have the package name "com.brkwl.apkstore," although this can configured by the user by either providing a specific name or enabling the random package name generator.

Cybersecurity

The free availability of the loader means it could be embraced by other threat actors looking to sidestep Android's security protections.

"Second, existing 'Dropper-as-a-Service' offerings that currently provide this capability as a distinctive feature will likely either close their services or attempt to reorganize," ThreatFabric said.

"This further lowers the entry barrier for cybercriminals looking to distribute mobile malware on modern devices, making it easier for more actors to enter the field."

Update

A Google spokesperson shared the below statement with The Hacker News -

"Android users are automatically protected against known versions of this malware by Google Play Protect, which is on by default on Android devices with Google Play Services. Google Play Protect can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Play."


Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.