Fake browser updates are used to spread a previously undocumented Android malware called Brokewell.
“Brokewell is a typical modern banking malware that has both data theft and remote control capabilities built into the malware,” Dutch security firm ThreatFabric said in an analysis published Thursday.
The malware is said to be in active development and adds new commands to capture touch events, textual information displayed on the screen, and applications launched by the victim.
The list of Brokewell apps masquerading as Google Chrome, ID Austria and Klarna is as follows:
- jcwAz.EpLIq.vcAZiUGZpK (Google Chrome)
- zRFxj.ieubP.lWZzwlluca (ID Austria)
- com.brkwl.uptracking (Klarna)
Like other recent Android malware families of this type, Brokewell is able to bypass Google-imposed restrictions that prevent sideloaded apps from requesting Accessibility Services permissions.
The banking Trojan, once installed and launched for the first time, requires the victim to grant permissions to the Accessibility Service, which it subsequently uses to automatically grant other permissions and perform various malicious activities.
This includes displaying overlay screens on top of targeted apps to steal user credentials. It can also steal cookies by launching a WebView and loading the legitimate website, after which session cookies are intercepted and transmitted to a server controlled by the actor.
Some of the other features of Brokewell include the ability to record audio, take screenshots, retrieve call logs, access device location, list installed apps, record every event that happens on the device, send SMS messages, make phone calls, install and uninstall app and even disable the accessibility service.
Threat actors can also exploit the malware’s remote control functionality to see what is displayed on the screen in real time, as well as interact with the device via clicks, swipes, and taps.
Brokewell is said to be the work of a developer who goes by the name “Baron Samedit Marais” and runs the “Brokewell Cyber Labs” project, which also includes a publicly hosted Android Loader on Gitea.
The loader is designed to act as a dropper that bypasses accessibility permission restrictions in Android versions 13, 14, and 15 using a technique previously adopted by dropper-as-a-service (DaaS) offerings like SecuriDropper and deploys the Trojan implant .
By default, loader apps generated through this process have the package name “com.brkwl.apkstore”, although this can be configured by the user by providing a specific name or by enabling the random package name generator.
The free availability of the loader means it could be adopted by other threat actors looking to evade Android’s security protections.
“Second, existing ‘Dropper-as-a-Service’ offerings that currently provide this functionality as a defining feature will likely shut down their services or attempt to reorganize,” ThreatFabric said.
“This further lowers the barrier to entry for cybercriminals seeking to distribute mobile malware on modern devices, making it easier for more actors to enter the field.”