Urgent warning to Android users about fake Chrome updates that could empty your bank account and leak your location
Hackers have a new bank account-draining malware aptly named “Brokewell,” and security researchers warn it’s targeting Android users.
The Brokewell Trojan currently masquerades as an update for Google Chrome for Android and sometimes even imitates Google’s advertisements for updates.
Even worse, according to the team’s security report, Brokewell “appears to be in active development, with new commands being added almost daily.”
The malware kit also includes a range of ‘spyware’ tools capable of covertly monitoring and remotely controlling an Android user’s mobile device.
“It can collect information about the device, call history, geolocation and record audio,” the security researchers warned.
Hackers have a new bank account-draining malware aptly named ‘Brokewell’, and security researchers warn it’s targeting Android users
Brokewell is currently masquerading as an update for Google Chrome for Android and sometimes even imitates Google’s ads for updates (example above), according to the latest advice from ThreatFabric’s security researchers
Cybersecurity researchers from the firm ThreatFabric first identified Brokewell through the hackers’ spoofed Google Chrome update ads, but their “retrospective analysis” discovered previous hacking campaigns using the malware.
This “previously invisible malware family with a wide range of capabilities,” they wrote, also targeted Klarna, a popular “buy now, pay later” financial app, and ID Austria, the official digital authentication service created by the Austrian national government.
Brokewell uses two increasingly common tactics popular with similar mobile banking cyber intrusion malware, according to ThreatFabric.
First, it uses ‘overlay attacks’, which create a fake screen over the targeted banking app, to steal the user’s credentials as the real user types them in themselves.
Then Brokewell actually steals the ‘session cookies’ used by the banking app, allowing the hacker to later bypass security measures like two-factor authentication.
Session cookies are temporary cookies that are deleted from a device when the user closes the browser.
By stealing them, hackers can insert them into new web sessions and essentially impersonate the original users without having to prove their identity.
According to the researchers, all of Brokewell’s advanced new hacking tools will increase the likelihood that other hackers will soon integrate the ability to bypass security measures on Android devices running Android 13 or later. Above, Brokewell’s known targets now
The hackers brazenly host a repository for the code, under the name ‘Brokewell Cyber Labs’ and the author name ‘Baron Samedit’. The name is a play on Baron Samedi, a figure from Haitian voodoo culture made famous by the James Bond villain in the 1973 film Live and Let Die.
‘After stealing the credentials, the actors can launch a Device Takeover attack using remote control capabilities’ Threat substance warned in their report.
“The malware performs screen streaming and provides the actor (i.e. the hacker) with a series of actions that can be performed on the controlled device, such as touches, swipes and clicks on specific elements,” they discovered.
According to the researchers, all of Brokewell’s advanced new hacking tools will increase the likelihood that other hackers will use the ability to bypass the security measures currently available on Android devices running Android 13 or later.
“During our investigation, we discovered another dropper (malware that opens the gates for future malware payloads) that bypasses the limitations of Android 13+,” the researchers said.
“This dropper was developed by the same actor(s) and has been made public,” they noted.
ThreatFabric said they were able to pinpoint some of the servers used by the malware/spyware hybrid: a command and control point (C2) for managing the victims’ infected devices.
The hackers also brazenly host a repository for the code, complete with a “read me,” under the name “Brokewell Cyber Labs” and the author name “Baron Samedit.”
The name is a play on Baron Samedi, a figure from Haitian voodoo culture who was made famous by the James Bond villain of the same name in the 1973 film Live and Let Die.