Android Malware Brokewell Exploits Fake Browser Updates
Brokewell, a newly discovered Android malware, is being distributed through fake browser update prompts. Identified by Dutch security firm ThreatFabric, Brokewell combines data theft and remote control capabilities, evolving with new commands to capture touch events, on-screen text, and launched applications.
Masquerading as legitimate apps like Google Chrome, ID Austria, and Klarna, Brokewell bypasses Google’s restrictions by tricking users into granting accessibility service permissions. Once installed, it automatically gains additional permissions and carries out malicious activities. It overlays screens to steal user credentials, intercepts session cookies, records audio, takes screenshots, accesses call logs and location data, sends SMS messages, and more. The malware also allows threat actors to remotely view and control infected devices in real-time.
Attributed to a developer known as “Baron Samedit Marais,” Brokewell is part of the “Brokewell Cyber Labs” project. Its distribution is facilitated by an Android Loader hosted on Gitea, which bypasses accessibility permission restrictions in certain Android versions. The loader, dubbed as a dropper, can be customized to evade detection by using different package names.
ThreatFabric warns of the broader implications of Brokewell’s discovery. The availability of its loader could empower other threat actors to exploit Android’s security weaknesses, potentially leading to an influx of mobile malware distribution. This could prompt changes in existing dropper-as-a-service offerings and lower the entry barrier for cybercriminals seeking to enter the mobile malware landscape.
Overall, Brokewell represents a significant threat to Android users, highlighting the evolving tactics of cybercriminals to bypass security measures and compromise devices for financial gain. Vigilance against fake updates and suspicious app requests is crucial to mitigate the risk of infection.
