Security researchers at Threat Fabric have discovered a new Android malware that can capture everything you do on your phone. Dubbed Brokewell, the malware can read all touch inputs, app launches, text inputs, images displayed on the screen, and more. It also features remote control capabilities, effectively giving the attacker full control over your device.
Brokewell Android malware with remote control capabilities discovered
According to Threat Fabric, Brokewell is distributed through a fake Chrome update page. It is a common technique to trick unsuspecting users into downloading malware on their devices. They would click on the update button without verifying the source. Once installed, their phones are infected by malware that can completely take over the devices and cause extensive damage.
The cybersecurity agency describes Brokewell as “a previously unseen malware family with a wide range of capabilities.” However, a retrospective analysis revealed previous campaigns by this malware family targeting “buy now, pay later” financial services and an Austrian digital authentication app called ID Austria. The latest campaign seemingly targets Android users in general.
Brokewell boasts an extensive set of features that attackers can leverage to steal sensitive data from infected devices. It can mimic login screens of targeted apps, tricking users into giving away their credentials to attackers. The malware can also intercept and extract cookies, capture user interactions with the device, collect hardware and software details, retrieve call logs and location, and capture audio of the surroundings.
The attacker can live stream the screen of the infected device, so they can see everything you do. Brokewell also allows them to remotely execute touch and swipe gestures, click on the screen, type text into specified fields, and simulate physical button presses like Back, Home, and Recents. Additionally, the attacker can activate the screen remotely and adjust the brightness and device volume.
A new attacker is behind this campaign
Brokewell is developed by an individual identified as Baron Samedit. The threat actor has a history of developing and selling tools for checking stolen accounts. Their tools are used by many cybercriminals, Threat Fabric reports. One of the tools called “Brokewell Android Loader” can bypass Google’s Android OS restrictions designed to prevent abuse of Accessibility Service for sideloaded apps.
This isn’t the first or only Android malware taking advantage of Google’s flaw. Many threat actors incorporate this bypass technique to avoid or minimize the risk of detection. Despite the continuous efforts of Google and other vendors, attackers always find a workaround. The best way to stay safe from malware is to avoid sideloading apps. Always download apps and app updates from the Google Play Store or other trusted app stores like the Galaxy Store.