Brokewell & Voodoo

12490145894?profile=RESIZE_400xA newly identified Android Trojan can steal user information and allow attackers to take control of infected devices. Named Brokewell, the trojan includes all the capabilities of mobile banking malware while also providing attackers with remote access to devices. Brokewell is being distributed via fake application updates, such as newer Chrome browser iterations and updates for an Austrian digital authentication application.

The malware overlays fake windows over the targeted mobile applications to harvest the victim's credentials.  Furthermore, it can steal browser cookies by launching its own WebView, loading the legitimate site, and dumping session cookies after the user completes the login process.  Researchers discovered that Brokewell has an accessibility logging capability, allowing it to capture device events such as touches, swipes, text input, opened applications, and information displayed on the screen.[1]

The malware harvests all this information and sends it to a command-and-control (C&C) server, giving the threat actors a trove of stolen data.  It is essential to highlight that, in this case, any application is at risk of data compromise: Brokewell logs every event, posing a threat to all applications installed on the device.  The malware also packs spyware capabilities, collecting information about the device and stealing data such as call history and geolocation, along with the ability to record audio.

Brokewell can also perform screen streaming and supports various commands that allow the attackers to take full control over the infected device and perform different actions on the screen, including touches, swipes, clicks, scrolls, text input, and more.   One of the malware’s C&C servers was also used to host a repository called Brokewell Cyber Labs, which contained the source code for a ‘Brokewell Android Loader’, and both were developed by a threat actor called Baron Samedit.

Baron Samedi (also spelled Samedit) is among the most well-known figures within Haitian Voodoo.  His distinctive look, purple suit, and skeletal face have made him memorable in religion and popular culture.  Haitian Voodoo is a type of syncretic religion developed in Haiti when West African slaves were forcibly converted to Christianity in the 18th century.  A syncretic religion combines two or more separate theological or mythological belief systems.  In the case of Haitian Voodoo, the combination of West African beliefs intertwined with Roman Catholicism created the religion observed today.

The loader can bypass existing Android 13 and newer restrictions on using Accessibility Service for application-side loading, potentially allowing multiple actors to include the capability in their malware. Baron Samedi has been active for at least two years, providing cybercriminals with tools to check stolen accounts from multiple services.

Investigators anticipate further evolution of this malware family, as we’ve already observed almost daily updates to the malware.  Brokewell will likely be promoted on underground channels as a rental service, attracting the interest of other cybercriminals and sparking new campaigns targeting different regions.

Android users are automatically protected against known versions of this malware by Google Play Protect, which is on Android devices by default with Google Play Services.  Google Play Protect can warn users or block apps that exhibit malicious behavior, even when those apps come from sources outside of Play.

 

This article is presented at no charge for educational and informational purposes only.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.     For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com    

Reporting: https://www.redskyalliance.org/
Website: https://www.redskyalliance.com/
LinkedIn: https://www.linkedin.com/company/64265941

Weekly Cyber Intelligence Briefing:
REDSHORTS - Weekly Cyber Intelligence Briefing
https://register.gotowebinar.com/register/5378972949933166424

 

[1] https://www.securityweek.com/powerful-brokewell-android-trojan-allows-attackers-to-takeover-devices/

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!