Hackers have unleashed a new bank account-draining malware, appropriately named ‘Brokewell,’ and security researchers warn that it’s targeting Android users.
The Brokewell trojan is currently posing as an update to Google Chrome for Android, at times even impersonating Google’s ads for updates.
Worse, according to the team’s security report, Brokewell ‘appears to be in active development, with new commands added almost daily.’
The malware kit also includes a suite of ‘spyware’ tools capable of covertly surveilling and remotely controlling an Android user’s mobile device.
‘It can collect information about the device, call history, geolocation, and record audio,’ the security researchers warned.
Hackers have unleashed a new bank account-draining malware, appropriately named ‘Brokewell,’ and security researchers warn that it’s targeting Android users
Brokewell is currently posing as an update to Google Chrome for Android, at times even impersonating Google’s ads for updates (example above), according to the latest advisory from the security researchers at ThreatFabric
Cybersecurity researchers at the firm ThreatFabric first identified Brokewell via the hackers’ faked Google Chrome update ads, but their ‘retrospective analysis’ discovered prior hacking campaigns using the malware.
This ‘previously unseen malware family with a wide range of capabilities,’ they wrote, had also targeted Klarna, a popular ‘buy now, pay later’ financial app, and ID Austria, the official digital authentication service created by Austria’s national government.
Brokewell, according to ThreatFabric, employs two increasingly common tactics popular with similar cyber-burglarizing mobile banking malware.
First it uses ‘overlay attacks,’ which creates a false screen over the targeted banking app, to steal the user’s login credentials as the real user types it in themselves.
Next, Brokewell actually steals the ‘session cookies’ used by the banking app, so that the hacker can bypass security measures like two-factor authentication later.
Session cookies are temporary cookies that are erased from a device once the user closers the browser.
By stealing them, hackers can put them into new web sessions and basically impersonate the original users without having to prove their identity.
All of Brokewell’s sophisticated new hacking tools, according to the researchers, will increase the likelihood that other hackers will soon incorporate its ability to bypass security measures on Android devices running Android 13 or higher. Above, known targets of Brokewell now
The hackers brazenly host a repository for its code, under the name ‘Brokewell Cyber Labs’ and the author name ‘Baron Samedit.’ The name is a pun on Baron Samedi, a figure in Haitian voodoo culture made famous by the James Bond villain in the 1973 film Live and Let Die
‘After stealing the credentials, the actors can initiate a Device Takeover attack using remote control capabilities,’ ThreatFabric warned in their report.
‘The malware performs screen streaming and provides the actor [i.e. the hacker] with a range of actions that can be executed on the controlled device, such as touches, swipes, and clicks on specified elements,’ they found.
All of Brokewell’s sophisticated new hacking tools, according to the researchers, will increase the likelihood that other hackers will incorporate its ability to bypass the security measures currently on Android devices running Android 13 or higher.
‘During our research, we discovered another dropper [malware that opens the gates for future malware payloads] that bypasses Android 13+ restrictions,’ the researchers said.
‘This dropper was developed by the same actor(s) and has been made publicly available,’ they noted.
ThreatFabric said that they were able to track down some of the servers used by the malware/spyware hybrid: a command and control (C2) point for managing its victims’ infected devices.
The hackers also brazenly host a repository for its code, complete with a ‘read me,’ under the name ‘Brokewell Cyber Labs’ and the author name ‘Baron Samedit.’
The name is a pun on Baron Samedi, a figure in Haitian voodoo culture made famous by the James Bond villain of the same name in the 1973 film Live and Let Die.
