**New Brokewell Malware Takes Control of Android Devices and Steals Data**
In a recent development, security researchers have uncovered a new type of Android banking Trojan called Brokewell, a malicious software that is nearly “unstoppable” and can capture display information, text input, and user-launched applications on Android devices.
According to reports, the Brokewell malware is primarily distributed via fake Google Chrome updates that pop up during web browser runtime, offering a wide range of device hijacking and remote control capabilities.
During an investigation of a fake Chrome browser update page, researchers at ThreatFabric discovered the Brokewell malware. Upon closer examination, researchers found that the update page delivers a payload, enticing unsuspecting users to install the malicious software.
As the investigation delved deeper, researchers found that the Brokewell malware had been used to target “buy now, pay later” financial services such as Klarna, masquerading as an Austrian digital identity verification application called ID Austria.
APK used to distribute Brokewell malware
The Brokewell malware steals data and provides remote control to attackers.
Information theft types include:
1. Imitating the login screen of targeted applications to steal credentials (overlay attacks);
2. Intercepting and extracting cookies using its own WebView after a user logs into legitimate websites;
3. Capturing the user’s interactions with the device, including clicks, swipes, and text inputs, to steal sensitive data displayed or entered on the device;
4. Collecting detailed hardware and software information from the device;
5. Retrieving call logs;
6. Determining the physical location of the device;
7. Capturing audio using the device’s microphone.
Theft of victim certificates
Device Hijacking:
1. Allowing attackers to view the device screen in real-time (screen streaming);
2. Remotely executing touch and swipe gestures on infected devices;
3. Permitting remote clicks on specified screen elements or coordinates;
4. Allowing remote scrolling of elements and entering text into specified fields;
5. Simulating physical buttons such as “back,” “home,” and “bookmark”;
6. Remotely activating the device screen to capture any information;
7. Adjusting settings such as brightness and volume to zero.
ThreatFabric disclosed in their report that the developer behind the Brokewell malware calls themselves Baron Samedit, a threat actor who has been selling tools to check compromised accounts for several years.
Tools sold on the threat actor’s website
Additionally, researchers also discovered another tool named “Brokewell Android Loader,” also developed by Samedit, hosted on a server acting as a command and control server for Brokewell, currently being used by multiple network threat actors.
The Brokewell Android Loader tool can help threat actors bypass security measures introduced by Google in Android 13 and later versions. Finally, security experts emphasize that organizations should protect themselves from Android malware infections by avoiding downloading applications or application updates from sources other than Google Play and ensuring that Play Protect is always active on their devices.
*Reference Article:*
https://www.bleepingcomputer.com/news/security/new-brokewell-malware-takes-over-android-devices-steals-data/
By [Journalist’s Name], Published [Date]