(Credit: Robert and Monika/Shutterstock.com)
Cybersecurity firm ThreatFabric has flagged a new series of banking Trojan malware dubbed "Brokewell" that can swipe user data including cookies and even allow attackers to gain full remote access to Android devices.
"Brokewell poses a significant threat to the banking industry, providing attackers with remote access to all assets available through mobile banking," ThreatFabric writes in its analysis, which was first reported by SecurityWeek. "The Trojan appears to be in active development, with new commands added almost daily."
Attackers gain access to victims' Android devices by tricking them into installing Brokewell Trojan malware on their smartphones. The malware is typically disguised as a fake Google Chrome web browser "update" page, using a visual design, layout, and text that's very similar to a legitimate Chrome installation prompt.
Like many scams, however, the fake Chrome page's text has obvious grammatical errors. Instead of Google's original, which reads "The browser built to be yours," the Brokewell-infested fake version reads "An update is required yours."
Once installed on a victim's Android device, the malware gives attackers free reign to spy on the user's device to swipe financial login credentials or even type and click on the phone's screen to steal funds directly from the victim's phone itself. The Android trojan also allows for other device takeover functions like drawing on the screen, moving back or to the home screen, or simulating swiping motions. The attacker could even harass or troll the victim by sending incessant phone vibrations, waking up the phone's screen, or changing the screen's brightness level.
ThreatFabric reports that an individual claiming their name is "Baron Samedit Marais" has taken responsibility for the malware's creation and is supposedly selling the Brokewell malware along with a range of other malicious tools through a site called "Brokewell Cyber Labs." Brokewell malware has targeted Klarna accounts in the past, and a screenshot shared by the cybersecurity firm suggests the threat actor may also be offering tools that target PayPal, Amazon, Dropbox, Apple, and American Express accounts.
"We anticipate further evolution of this malware family, as we've already observed almost daily updates to the malware. Brokewell will likely be promoted on underground channels as a rental service, attracting the interest of other cybercriminals and sparking new campaigns targeting different regions," ThreatFabric states.
A Google representative tells PCMag that it's already taken steps to shield Android users from threats like Brokewell. "Android users are automatically protected against known versions of this malware by Google Play Protect, which is on by default on Android devices with Google Play Services," the representative says. "Google Play Protect can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Play."
Android-specific malware isn't uncommon. Last year, over a dozen apps on the Google Play Store were found to contain a type of malware that enables full device takeover. While malware can be devastating, it is preventable. There are antivirus and malware protection apps for Android devices that can watch for dangerous links while you browse online and wipe infected devices if needed.
Editor's Note: This story has been updated to include comment from Google.