Don't just update Google Chrome, you could lose your savings balance
- Cyber security company ThreatFabric reveals a new type of Android malware called “Brokewell”, which cleverly disguises itself as a Google Chrome update.
Once downloaded and installed on a user's cellphone, malware can take over the device, including stealing credentials such as banking application passwords, so that hackers can transfer money, change passwords, and so on remotely.
The findings were revealed through its official page written on April 25, 2024. Threatfabric's analysis found Brokewell malware on a fake Chrome update page.
These internet pages are designed to trick users into downloading application updates that contain dangerous malware.
Blockwell called Treatfabric is a type of modern banking malware that has been equipped with data theft and remote control capabilities contained in the malware.
"The discovery of a new malware group, Brokewell, which has the ability to take over devices, shows the ongoing demand for such capabilities among cybercriminals," Threatfabric said on its website.
“Criminals use this capability to commit fraud directly on victims' devices, creating challenges for fraud detection tools that rely on device identification or fingerprinting.” Threatfabric added in his writing.
How Brokewell malware works according to Threatfabric
Brokewell works by performing overlay attacks, a technique commonly used for Android banking malware, by displaying a fake login page on top of a genuine application to steal credentials from users.
This malware can also steal user cookies, so that when the user enters a website, this malware will send all session cookies from the user to a command and control server (C2).
Not only that, this malware is equipped with “accessibility logging" which can record every event that occurs on the device, such as touches and swipes on the mobile device screen, information displayed, text input, and applications that have been opened.
All user activity is then recorded and sent to a command and control server (C2), which can effectively steal all confidential data displayed or entered on the hacked device.
Using the personal information and login credentials that have been collected earlier, cybercriminals then use the malware's remote control capabilities to take over the device.
Thus, criminals now have complete control over the user's phone or tablet and can use the information they collect to carry out bank transfers, change passwords and other crimes.
Android cellphone users are advised not to just download Google Chrome updates from websites whose authenticity is doubtful, or only through the official Google Play Store application store.
Investigation of the perpetrator
Through an investigation carried out by Threatfabric, they discovered that one of the servers used as the command and control (C2) point for Brokewell was also used to host another repository, namely "Brokewell Cyber Labs" created by Baron Samedit.
This repository contains the source code for "Brokewell Android Loader," which is another tool from the same developer designed to bypass Android 13 and above restrictions on Accessibility Services for side-loaded apps.
Further analysis of “Baron Samedit”'s profile reveals that he has been active in cybercrime activities for at least two years and has provided tools for other cybercriminals to identify stolen accounts from various services.
Threatfabric said malware groups like Brokewell can pose significant risks to financial institution customers, and without proper fraud detection measures, this can lead to cases of fraud that are difficult to detect.
The Threatfabric company believes that only a comprehensive and layered fraud detection solution can effectively identify and prevent potential fraud from malware groups like Brokewell, compiled by KompasTekno from ThreatFabric, Wednesday (1/5/2024).