Analysis Summary

Brokewell, a newly discovered Android banking trojan, presents a significant threat to users by employing sophisticated techniques to compromise devices and steal sensitive information. Delivered through fake Google Chrome updates, Brokewell exhibits a combination of extensive device takeover and remote control capabilities raising concerns among security researchers.

Researchers uncovered Brokewell while investigating a fraudulent Chrome update page that drops the malware payload, a common tactic used to deceive unsuspecting users into installing malicious software. Analysis of past campaigns revealed Brokewell's previous targeting of "buy now, pay later" financial services and its disguise as an Austrian digital authentication application called ID Austria.

Brokewell's main functionalities revolve around data theft and remote control. In terms of data stealing, the trojan employs various techniques, including overlay attacks to mimic login screens of targeted applications intercepting and extracting cookies, capturing user interactions, retrieving call logs, determining device location, and even capturing audio through the device's microphone. This comprehensive data theft capability poses a grave risk to users' privacy and security.

Additionally, Brokewell enables device takeover by allowing attackers to view the device's screen in real time, execute remote touch and swipe gestures, click on specified screen elements, simulate physical button presses, and adjust device settings remotely. These features grant cybercriminals extensive control over infected devices facilitating fraudulent activities and evading detection mechanisms.

The threat actor behind Brokewell has been associated with the development and distribution of tools for checking stolen accounts. Furthermore, the discovery of "Brokewell Android Loader" a tool developed to bypass Google's restrictions on Accessibility Service for side-loaded apps highlights the evolving sophistication of malware distribution techniques.

Security researchers warn that the device takeover capabilities offered by Brokewell are highly sought after among cybercriminals due to their potential to evade fraud detection tools. With the likelihood of Brokewell being further developed and distributed through underground forums as part of a malware-as-a-service operation, proactive measures such as avoiding app downloads from unofficial sources and ensuring the activation of Google Play Protect are crucial to mitigate the risk of Android malware infections.

Impact

• Unauthorized Access
• Sensitive Information Theft
• Financial Loss
• Cyber Espionage

Indicators of Compromise

SHA1

• b9f55f4cb8ba6a4529ad955b4bdad36faf6b7476
• f5e24d031edf0ec9c67d98c9294d5904dae34394

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
• Educate users about the dangers of clicking on links or downloading apps from unknown sources sent via email, text messages, or social media. Phishing attacks can trick users into installing malicious apps.
• Users should review app permissions before installation. If an app requests unnecessary or excessive permissions, it might be suspicious.
• Encourage users to only download and install apps from trusted sources, such as the official Google Play Store. Sideloading apps from third-party sources increases the risk of installing malicious applications.
• Install reputable mobile security apps that offer real-time threat detection and malware protection. These apps can help identify and block malicious apps before they are installed.
• Regularly scan your device for malware using security apps. This helps identify any potentially malicious apps that might have been inadvertently installed.
• Security software providers should continually update their tools to detect and mitigate new and sophisticated evasion techniques.
• App stores should enforce strict guidelines for app submissions to ensure that only legitimate and secure apps are made available to users.
• Encourage users to report suspicious apps to app stores or security researchers. This helps identify and remove malicious apps from circulation.