Threatfabric revealed the new malicious application Brokewell, capable of recording each action on the device, from presses to entering text and launching applications. The Trojan spreads through a fake Google Chrome update in a browser and affects Android users.
Brokewell, still in the active development stage, offers extensive capabilities for capturing the device and remote control. Fraudsters have already utilized the Trojan to disguise financial services operating under the “Buy now, Pay later” model and the Austrian application for digital authentication ID Austria.
The main functions of Brokewell include data theft and providing remote access to attackers:
- Imitation of entry screens to the system for theft of accounting data;
- Interception and extraction of cookies through the WebView interface after the user enters a legitimate site;
- Capture of user interaction with the device, including pressing, swiping, and text entry, for the theft of entered data;
- Collection of information about the hardware and software characteristics of the device;
- Access to the call log and geolocation of the device;
- Recording audio through the device’s microphone.
Brokewell is capable of displaying the device’s screen in real-time, performing touch gestures and swiping on the infected device, remotely clicking on screen elements, and entering text in specified fields while simulating pressing system buttons.
Furthermore, researchers uncovered a new tool named Brokewell Android Loader, developed by an individual known as Baron Samedit. The bootloader is used to bypass restrictions introduced in Android 13 to prevent the misuse of special capabilities by applications installed from unofficial sources.
Experts caution that the ability to capture devices is highly sought after by cybercriminals as it allows for fraudulent activities directly from the victim’s device, making detection more challenging. To safeguard against such threats, it is advised to refrain from downloading applications and updates from sources other than the official Google Play store and enabling the Play Protect function.