Brokewell: Android malware simulates fake updates

Fake browser updates they are used to spread previously undocumented Android malware called Brokewell.

An overview of the Brokewell Android malware

“Brokewell is a typical modern banking malware featuring both data theft and remote control capabilities built into the malware“, has declared the Netherlands cybersecurity firm known as ThreatFabric in an analysis published Thursday.

The malware is believed to be in active development, adding new commands to capture touch eventsthe textual information displayed on the screen, and the applications the user launches.

Here is the list of Brokewell apps that masquerade as Google ChromeID Austria and Klarna:

• jcwAz.EpLIq.vcAZiUGZpK (Google Chrome)
• zRFxj.ieubP.lWZzwlluca (ID Austria)
• com.brkwl.uptracking (Klarna)

Like other recent malware families running on Google's robot of this type, Brokewell is able to bypass the restrictions imposed by Google which prevent sideloaded apps from requesting permissions for the accessibility service.

Brokewell works similarly to banking Trojans

The banking trojan, once installed and started for the first time, asks the victim to grant permissions for the accessibility service, which it subsequently uses to automatically grant other permissions and perform various malicious activities.

This includes displaying screen overlays on targeted apps to steal user credentials; can also steal cookies by opening one WebView and loading the legitimate website (it's a simple JavaScript script actually), after which the session cookies are intercepted and transmitted to a server controlled by the author (or authors) of the malware.

Note that Android System WebView is doubly linked to the Google world, not only to the operating system of the robot, but other Chromium-based browsers such as Brave or Opera also use it as a rendering engine to load sites.

Other features of Brokewell include the ability to record audio, take screenshots, retrieve call logs, access device location, list installed applications, record every event that happens on the device, send SMS messages, make phone calls, install and uninstall apps, and even disable the accessibility service.

What problems do you encounter with this malware?

Cybercriminals, among other things, can also exploit the malware's remote control functionality to see what is displayed on the screen in real time, as well as interact with the device through clicks, swipes and touches.

Regarding stealing the touch data: although it is very unlikely, it is not impossible that it is possible to steal the fingerprint of the victims.

Brokewell is said to be the work of a developer who calls himself “Baron Samedit Marais” and runs the “Brokewell Cyber ​​Labs” project, which also includes an Android Loader hosted publicly on Gitea.

The loader is designed to act as a dropper which bypasses accessibility permissions restrictions in Android versions 13, 14 and 15 using a technique previously adopted by dropper-as-a-service (DaaS) services such as SecuriDropper and deploy the Trojan implant.

Conclusion

By default, loader apps generated through this process have the package name “com.brkwl.apkstore”, although this can be configured by the user by providing a specific name or enabling the random package name generator.

The free availability of the loader means it could be adopted by other cyber criminals trying to bypass Android security protections.

“Second, existing 'Dropper-as-a-Service' offerings that currently provide this capability as a defining feature they will likely close their services or try to reorganize“said ThreatFabric, who then concluded by saying: “this further lowers the barrier of entry for cybercriminals seeking to distribute mobile malware on modern devices, making it easier for more hackers to enter the industry.”

In the end it is advisable to pay attention to the sources from which you download the data, use official sources (preferably) or alternatively third-party sources verified and reliable.