Insights, news, education and announcements from PolySwarm

Brokewell Android Banking Trojan

Written by The Hivemind | May 6, 2024 6:48:46 PM

Verticals Targeted: Financial

Executive Summary

Brokewell is a newly discovered Android banking trojan with Device Takeover capabilities. Despite being a newcomer to the threat landscape, Brokewell poses a significant threat to the banking industry.

Key Takeaways

  • Brokewell is a newly discovered Android banking trojan with Device Takeover capabilities. 
  • Brokewell has data theft, spyware, and remote control capabilities.
  • Brokewell seems to have only recently entered the threat landscape but poses a significant threat to the banking industry.
  • Brokewell is attributed to a threat actor known as Baron Samedit, who operates Brokewell Cyber Labs.

What is Brokewell?

Brokewell is a newly discovered Android banking trojan with Device Takeover capabilities. Threat Fabric recently reported on Brokewell. 

Brokewell’s infection chain appears to begin with a fake browser update page that installs an Android application. The downloaded application is a novel malware family that has also been used in campaigns targeting a “buy now, pay later” service and a digital authentication application. 

Brokewell has both data theft and remote control capabilities. It uses overlay attacks to steal a victim’s credentials and can also steal cookies. Additionally, Brokewell is capable of “accessibility logging”, which allows it to capture every event that happens on the device, including touches, swipes, displayed information, text input, and opened applications. These actions are logged and sent to the C2. Accessibility logging means Brokewell can pose a threat to any application installed on the victim device. 

In addition to data theft, Brokewell has spyware-like functionalities, allowing threat actors to collect device information, to obtain call history, to geo locate the device, and to record audio. 

After stealing victim credentials, threat actors can initiate a Device Takeover attack, allowing them to remotely control the device. Brokewell streams the victim’s screen and allows the threat actor to perform a variety of remote actions. These include touches, swipes, and clicks on on-screen elements. 

Threat Fabric noted that Brokewell seems to have only recently entered the threat landscape but poses a significant threat to the banking industry. It allows threat actors to obtain remote access to all assets available via mobile banking. Not only is Brokewell in active development, but new commands are added almost daily. 

Additionally, Threat Fabric discovered another dropper, dubbed Brokewell Android Loader, that was developed by the same threat actor. It is capable of bypassing Android 13+ restrictions on Accessibility Service for sideloaded applications.

Who is Baron Samedit?

According to Threat Fabric, Brokewell is developed by a threat actor known as Baron Samedit, who operates Brokewell Cyber Labs. The threat actor claims to be a computer programmer, reverse engineer, systems administrator, business owner, project manager, cyberweapons contractor, tech consultant, talent mentor, and postgraduate student. While Baron Samedit has been active for at least two years, the threat actor only recently began releasing Android malware. 

IOCs

PolySwarm has a sample of Brokewell.

 

00d35cf5af2431179b24002b3a4c7fb115380ebda496d78849bf3d10055d8a88

 

You can use the following CLI command to search for all Brokewell samples in our portal:

$ polyswarm link list -f Brokewell

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.