A new Android banking trojan called Brokewell has been discovered by security researchers, capable of capturing every event on the device and stealing sensitive data. The malware is delivered through a fake Google Chrome update, showing the active development and remote control capabilities.
Researchers at ThreatFabric found Brokewell after investigating a fake Chrome update page that dropped a payload. The trojan has been used in past campaigns to target financial services and masquerade as a digital authentication application.
Brokewell’s main capabilities include stealing data by mimicking login screens, capturing interactions with the device, and gathering hardware and software details. It also offers remote control features like screen streaming and executing touch gestures.
The developer behind Brokewell, named Baron Samedit, has been selling tools for checking stolen accounts for at least two years. Another tool called “Brokewell Android Loader,” developed by Samedit, bypasses Google’s restrictions introduced in Android 13 to prevent abuse of Accessibility Service.
Security researchers warn that the device takeover capabilities of Brokewell are in high demand among cybercriminals and expect it to be further developed and offered on underground forums. To protect against Android malware infections, users are advised to avoid downloading apps from outside Google Play and ensure Play Protect is active on their device. Google has confirmed that Google Play Protect automatically protects users against known versions of this malware.
