Brokewell Mobile Malware Spreads Through Fake Chrome Updates
Counterfeit browser updates are being employed to distribute a new Android malware known as Brokewell, which was previously undocumented.
According to an analysis by security researchers published in April 2024, Brokewell is a contemporary banking malware that possesses both data-stealing and remote-control capabilities.
The malware is actively evolving, with ongoing development introducing new commands to capture touch events, on-screen text, and launched applications.
Brokewell disguises itself as various apps, including Google Chrome, ID Austria, and Klarna:
- jcwAz.EpLIq.vcAZiUGZpK (Google Chrome)
- zRFxj.ieubP.lWZzwlluca (ID Austria)
- com.brkwl.upstracking (Klarna)
Like other recent Android malware, Brokewell can circumvent Google's restrictions on sideloaded apps that attempt to request accessibility service permissions.
Once installed and launched, the banking trojan prompts the victim to grant accessibility service permissions, enabling automatic granting of other permissions to carry out malicious activities.
Brokewell Comes With Diverse Malicious Toolkit
Brokewell's capabilities include displaying overlay screens to steal user credentials, intercepting session cookies, recording audio, taking screenshots, accessing call logs and device location, listing installed apps, sending SMS messages, making phone calls, installing/uninstalling apps, and disabling accessibility services.
The malware allows threat actors to remotely view real-time screen content and interact with the device through clicks, swipes, and touches.
Brokewell is attributed to a developer using the pseudonym "Baron Samedit Marais" who manages the "Brokewell Cyber Labs" project. The project includes an Android Loader hosted on Gitea, designed to bypass accessibility permission restrictions on specific Android versions and deploy the trojan implant.
The loader, resembling a dropper, generates apps with a default package name of "com.brkwl.apkstore," potentially accessible to other threat actors seeking to evade Android's security measures.