New banking malware gives hackers complete control of Android phones

A new Android mobile malware family, dubbed Brokewell, has appeared on cybersecurity researchers’ radars. It includes a powerful feature set, allowing attackers to take over user devices and steal data.

ThreatFabric analysts discovered the new trojan Brokewell, warning that it poses a significant threat to the banking industry and users. It allows attackers to remotely access all assets available through banking apps.

“The Trojan appears to be in active development, with new commands added almost daily. During our research, we discovered another dropper that bypasses Android 13+ restrictions. This dropper was developed by the same actor(s) and has been made publicly available, potentially impacting the threat landscape,” ThreatFabric warns.

The new malware was first observed as fake browser update fraud, a common method used by cybercriminals to lure victims into clicking links and downloading malicious payloads. However, the malware itself was unseen.

“Brokewell is a typical modern banking malware equipped with both data-stealing and remote-control capabilities built into the malware,” researchers say in a report.

The trojan overlays the infected phone’s screen to capture user credentials and other inputs. Additionally, it steals cookies and sends them to the command-and-control server.

Brokewell is also equipped with “accessibility logging,” capturing every event happening on the device: touches, swipes, information displayed, text input, and applications opened.

“All actions are logged and sent to the command-and-control server, effectively stealing any confidential data displayed or entered on the compromised device,” researchers warn.

The feature set also comes with a variety of spyware and device takeover capabilities. Attackers can stream the controlled phone’s screen and have full control, performing a wide range of actions.

Brokewell was observed targeting popular “buy now, pay later” financial service apps and an Austrian digital authentication app.

Researchers noted that the threat actor was not trying to hide its source code repositories. One of the servers used for command and control also hosted a repository called “Brokewell Cyber Labs,” created by "Baron Samedi.” It contained a source code for the Android loader, designed to bypass Android 13+ restrictions.

“More actors will gain the capability to bypass Android 13+ restrictions, suggesting this could become a regular feature for most mobile malware families, similar to reading SMS messages,” the report warns.

Analysis of the “Baron Samedi” profile reveals that the threat actor has been active for at least two years. However, only recently has it shifted to mobile malware. Previously, it had provided tools for cybercriminals to check stolen accounts from multiple services.

It is expected that Brokewell will likely be promoted on underground channels as a rental service.

New banking malware gives hackers complete control of Android phones

More from Cybernews: