A recently discovered Android malware dubbed Brokewell is being distributed via fake browser update prompts, according to an analysis by Dutch security firm ThreatFabric.
Brokewell is described as a sophisticated banking malware with data-stealing and remote-control capabilities. It is actively evolving, with new features added regularly, including commands to capture touch events, screen text, and information about launched applications.
The malware disguises itself as popular apps such as Google Chrome, ID Austria, and Klarna. Some identified instances include:
- jcwAz.EpLIq.vcAZiUGZpK (Google Chrome)
- zRFxj.ieubP.lWZzwlluca (ID Austria)
- com.brkwl.upstracking (Klarna)
Brokewell can bypass Google’s restrictions on sideloaded apps by exploiting accessibility service permissions. Once installed, it prompts users to grant accessibility permissions, which it then leverages to automatically obtain other permissions and execute malicious activities.
One of its tactics involves overlay screens to steal user credentials, along with intercepting and transmitting session cookies from legitimate websites. Additionally, Brokewell can record audio, capture screenshots, access call logs and device location, list installed apps, log device events, send SMS messages, make phone calls, install/uninstall apps, and disable accessibility services.
The malware also features remote control capabilities, allowing threat actors to view real-time device screens and interact with them through clicks, swipes, and touches.
Brokewell is attributed to a developer known as “Baron Samedit Marais,” who oversees the “Brokewell Cyber Labs” project. The project includes an Android Loader hosted on Gitea, designed to bypass accessibility permissions restrictions in Android versions 13, 14, and 15. The loader acts as a dropper to deploy the trojan implant.
ThreatFabric warns that the free availability of the loader could attract other threat actors seeking to evade Android’s security measures. This development could potentially lead to the closure or restructuring of existing “Dropper-as-a-Service” offerings, further lowering the barrier for cybercriminals to distribute mobile malware.
