Researchers of cybersecurity have discovered a Trojan, known as Brokewell, that masquerades as a Chrome update on Android and provides users with cybercriminals Remote access to all assets available through mobile banking.
A Trojan is a type of ‘malware’ embedded in a seemingly legitimate executable file. This means that, once downloaded, the file accesses the device with the intention of executing malicious actions, such as stealing information.
READ ALSO: Google expands the reach of its Gemini AI: now available in more languages and countries, including Peru
Analysts from the security firm ThreatFabric have discovered a new family of mobile ‘malware’, called Brokewell, which “represents a significant threat to the banking industry,” as they noted in a statement.
The Brokewell Trojan, which appears to be in active development and adds new commands “almost daily,” is capable of bypassing Android 13+ restrictions and comes as an update to Google Chrome.
Specifically, cybercriminals introduce an interface very similar to the legitimate browser download page, thus disguising banking malware and using overlay attacks.
This is a common technique for this type of malicious software, in which it overlays a fake screen on a specific application to capture the user’s credentials. Likewise, it has the ability to steal session cookies and send them to a command and control (C2) server.
READ ALSO: The quishing trap: how to identify and avoid QR code scams? Advice from cybersecurity experts
In this way, once they obtain the access credentials, cybercriminals can start an attack to take over the devices. To achieve this, the ‘malware’ transmits the screen to the server, from which the malicious agents can execute certain commands.
Those responsible for the investigation have also pointed out that Brokewell is equipped with an accessibility log, which captures every event that happens on the device, that is, the keystrokes on the screen or the information displayed by open applications.
In addition to monitoring victims’ activity, the Trojan also supports a variety of ‘spyware’ functionalities, i.e. it can collect information about the device, call history, geolocation and record audio.
Active for two years
ThreatFabric has indicated that it is possible that the Trojan, whose developers do not hide its identity – since its repository, Brokewell Cyber Labs, comes with the signature ‘Baron Samedit’ – is promoted in clandestine channels, which may attract the interest of others. cybercriminals.
READ ALSO: ‘Speaking practice’, the new Google tool with AI to improve your level of English
This archive file also contains the source code of Brokewell Android Loader – for mobile phones with this OS -, another tool from the same developer designed to avoid the restrictions of Android 13+ in the accessibility service for side-loading applications.
According to the study, this “will have a significant impact on the threat landscape,” as more actors will gain the ability to bypass the restrictions of this operating system, which may become a common feature for most virus families. mobile malware.
On the other hand, experts believe that ‘Baron Samedit’ would have been active for at least two years and that it would have previously provided tools to other cybercriminals to check stolen accounts from multiple services.
Researchers have finally pointed out that these ‘malware’ families “pose a significant risk to clients of financial institutions”, which results in “successful” fraud cases that are “difficult to detect without appropriate measures.”
RECOMMENDED VIDEO
