Brokewell Malware Spreads Via Fake Chrome Updates On Mobile Devices

Android mobile users must stay wary of new malware, “Brokewell,” ready to break their banks. As observed, Brokewell is a potent banking trojan that lures victims into downloading it by faking Chrome browser updates.

Brokewell Malware Lures Victims Via Fake Chrome Updates

The cybersecurity firm Threat Fabric shared details about a new threat for Android users through a recent report. Identified as Brokewell, the researchers describe the malware family as potent Android banking trojan with data stealing and device takeover capabilities.

The malware caught the researchers’ attention via a fake Chrome update page. They noticed a fake browser update to install an Android app. The fake web page mimicked the design of the actual Google Chrome update page to trick users, with subtle differences.

Upon downloading the so-called Chrome update, the downloaded application would install a new malware family that stayed under the radar for quite some time. While the malware remained undetected, its retrospective analysis revealed its earlier malicious campaigns involving an Austrian digital authentication app and another financial service.

Analyzing the malware further revealed its true nature as a banking trojan aimed at targeting mobile users. Once downloaded, it performs numerous functionalities to steal users’ data. For instance, it displays screen overlays to steal credentials, launches its own WebView to steal cookies, and transmits all stolen data to its C&C server. In addition, it captures device activities, including typing data, touch data, swipes, apps opened, and information displayed. This way, it ensures capturing all sensitive information outside the usual banking details.

The researchers shared a detailed technical analysis of the malware in their post. While they listed most Brokewell functionalities, they expect the malware to exhibit more capabilities in the future as they can observe its continuous development.

Tracing back this Android trojan revealed “Baron Samedit” as its developer, who has been active for the past two years. While the threat actor previously provided tools to other cybercriminals, Brokwell’s launch establishes them as a separate threat actor.

Let us know your thoughts in the comments.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients