Tuesday, November 12, 2024
HomeAndroidAndroid Malware Brokewell With Complete Device Takeover Capabilities

Android Malware Brokewell With Complete Device Takeover Capabilities

Published on

Malware protection

A new family of mobile malware known as “Brokewell” has been found to have a wide range of device takeover capabilities. 

This seriously threatens the banking sector by giving attackers remote access to all the resources made available via mobile banking.

New instructions introduced virtually every day indicate the Trojan is still under development. 

- Advertisement - SIEM as a Service

Experts say Brokewell will most likely be offered as a rental service through underground channels, receiving the attention of other cybercriminals and inspiring new operations targeting different regions.

“These actors require this functionality to commit fraud directly on victims’ devices, creating a significant challenge for fraud detection tools that heavily rely on device identification or device fingerprinting,” ThreatFabric researchers shared with Cyber Security News.

Is Your Network Under Attack? - Read CISO’s Guide to Avoiding the Next Breach - Download Free Guide

Brokewell’s Primary Features

Researchers discovered a fake browser update page intended to install an Android application.

This strategy appears innocent to unwary victims—with a skillfully designed website offering an update for a more recent version of the program—and normal—as it happens during regular browser use.

According to researchers, the downloaded application is a family of malware with unprecedented capabilities. 

Fake page distributing Brokewell

Brokewell is a classic example of contemporary banking malware that can remotely operate itself and steal data.

Overlay attacks, a popular method for Android banking malware, are employed by Brokewell to obtain user credentials by combining a fake screen over a targeted application.

Brokewell can also steal cookies, another characteristic common to modern mobile banking malware.

It accomplishes this by loading the authentic webpage, overriding the onPageFinished method, and starting its own WebView.

After the victim successfully logs in, Brokewell dumps the session cookies and sends them to the command and control (C2) server.

Stealing victim’s credentials

With its “accessibility logging,” Brokewell records all user interactions, including touches, swipes, information displays, text input, and programs opened. 

Any private information typed or seen on the infected device is effectively stolen because every action is recorded and transmitted to the command-and-control server.

After obtaining the credentials, the actors can use remote control capabilities to launch a Device Takeover attack. 

To do this, the malware streams the screen and gives the actor access to various commands that can be used on the device under control, including touches, swipes, and clicks on designated elements.

“These capabilities might be further expanded in the future by automating specific actions to streamline the Device Takeover attack for the actors and potentially create a functional Automated Transfer System (ATS)”, researchers said.

A New Actor In The Field Of Mobile Malware

Brokewell was used to host a repository named “Brokewell Cyber Labs,” created by “Baron Samedit.”

Researchers say source code for “Brokewell Android Loader,” another tool created by the same developer to bypass Android 13+ are limitations on Accessibility Service for side-loaded apps, is available in this repository. 

Threat actor advertises their products, including mobile threats and other offerings

Hence, the only way to properly identify and stop potential fraud from malware families like the recently identified Brokewell is to use a comprehensive, multi-layered fraud detection solution that is based on a combination of indicators, including device behavior and identity threats for each customer.

Combat Email Threats with Easy-to-Launch Phishing Simulations: Email Security Awareness Training -> Try Free Demo 

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

10 Best DNS Management Tools – 2025

Best DNS Management Tools play a crucial role in efficiently managing domain names and...

Sweet Security Announces Availability of its Cloud Native Detection & Response Platform on the AWS Marketplace

Customers can now easily integrate Sweet’s runtime detection and response platform into their AWS...

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling...

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases...

Maximizing Agent Productivity And Security With Workforce Management Software In Contact Centers

In the bustling world of customer service, the stakes are perpetually high—every missed call...

HookBot Malware Use Overlay Attacks Impersonate As Popular Brands To Steal Data

The HookBot malware family employs overlay attacks to trick users into revealing sensitive information...