Pierluigi Paganini
April 27, 2024
ThreatFabric researchers uncovered a new mobile malware named Brokewell, which is equipped with sophisticated device takeover features. The experts pointed out that this malware is actively evolving and poses a severe risk to the banking sector. The author frequently adds new commands.
The attack chain starts with fake application updates for popular software, such as the Chrome browser and the Austrian digital authentication application.
Brokewell employs overlay attacks to overlap a fake screen over legitimate applications, capturing user credentials. The malicious code also has the capability to steal cookies. By launching its own WebView and overriding the onPageFinished method, Brokewell loads the authentic website, captures session cookies during the login process, and transmits them to the C2 server.
Brokewell malware supports “accessibility logging,” it records any device events such as touches, swipes, displayed information, text input, and opened applications. Then it transmits logs to the C2 server, effectively capturing confidential data displayed or entered on the compromised device. The experts explained that potentially all applications on the device are vulnerable to data compromise as Brokewell logs every event.
The malware also supports multiple “spyware” functionalities, it can gather device information, call history, geolocation, and record audio.
“After stealing the credentials, the actors can initiate a Device Takeover attack using remote control capabilities. To achieve this, the malware performs screen streaming and provides the actor with a range of actions that can be executed on the controlled device, such as touches, swipes, and clicks on specified elements.” reads the report published by ThreatFabric.
Brokewell supports various commands that allow to take full control of the device. The malware can also perform various actions on the screen, including touches, swipes, clicks, scrolls, text input, and more.
Researchers discovered that one of the C2 servers of this malware was hosting a repository called Brokewell Cyber Labs.
The repository contained the source code for a ‘Brokewell Android Loader,’ Brokewell and the loader were both developed by a threat actor called Baron Samedit.
The Brokewell Android Loader can bypass Android 13+ restrictions, experts believe it can be used in the future to spread other malware families.
Analysis of the “Baron Samedit” profile shows that the threat actor has been active for at least two years, initially involving tools for checking stolen accounts across various services.
“The discovery of a new malware family, Brokewell, which implements Device Takeover capabilities from scratch, highlights the ongoing demand for such capabilities among cyber criminals. These actors require this functionality to commit fraud directly on victims’ devices, creating a significant challenge for fraud detection tools that heavily rely on device identification or device fingerprinting.” concludes the report.
“We anticipate further evolution of this malware family, as we’ve already observed almost daily updates to the malware. Brokewell will likely be promoted on underground channels as a rental service, attracting the interest of other cybercriminals and sparking new campaigns targeting different regions.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Android)
