Brokewell: A New Android Banking Trojan Targeting Users In Germany

Cyble CRIL identified a new Android banking trojan named Brokewell distributed via a fake Chrome Update phishing site that installs a malicious Chrome.apk and communicates with C2 domains such as mi6.operationanonrecoil[.]ru. The malware’s developer, operating as “Baron Samedit” and hosting a Gitea repo, built a loader that bypasses storage permissions, abuses the Accessibility service for auto-granting permissions and overlay/keylogging attacks, and supports screen recording and cookie theft. #Brokewell #BaronSamedit

Keypoints

Brokewell is delivered from a fake Chrome Update phishing site (hxxps://www[.]makingitorut[.]com/Chrome/Chrome.apk) and was seen in VirusTotal samples from Germany.
The malware developer “Baron Samedit” hosts a Brokewell Android Loader repo on Gitea and links to underground forum/Tor/Telegram profiles.
The Brokewell Android Loader embeds the payload in /res/raw and uses a session-based package installer to install the APK without requesting external storage permissions.
Brokewell abuses Android Accessibility to auto-grant “Display over other apps” and “Unknown sources,” show fake lock PIN overlays, capture PINs, and perform overlay injection attacks to steal cookies and credentials.
Key capabilities include overlay attacks (WebView injection), keylogging via Accessibility logs, cookie stealing (/webv/dump-cookies), screen recording via MediaProjection (sent to port 50002), audio recording, SMS/call abuse, and remote shell execution.
The malware stores C2 configuration in implant.db (tb_config) and communicates with domains (mi6.operationanonrecoil[.]ru, fsb[.]operationvenetic[.]ru) and non-standard ports (e.g., 56231, 44478, 44479, 45901); it can download/update APKs and execute commands from C2.

MITRE Techniques

[T1660] Phishing – Initial delivery via a fake Chrome Update phishing site that downloads a malicious APK (‘hxxps://www[.]makingitorut[.]com/Chrome/Chrome.apk’).
[T1623.001] Command and Scripting Interpreter: Unix Shell – Malware can execute shell commands received from C2 (‘Run shell command received from C&C server’).
[T1624.001] Event-Triggered Execution: Broadcast Receivers – Uses registered broadcast receivers to intercept and steal incoming SMS messages (‘registered broadcast receivers to steal incoming SMS’).
[T1407] Download New Code at Runtime – Downloads and installs APKs or updates itself (‘doInstallPKG’, ‘doSelfUpdateAPK’ download new APK and update itself).
[T1628.001] Hide Artifacts: Suppress Application Icon – Hides its app icon to avoid detection (‘Hides application icon’).
[T1629.001] Impair Defenses: Prevent Application Removal – Prevents uninstallation or sets flags to block removal (‘Malware prevents uninstallation’).
[T1655.001] Masquerading: Match Legitimate Name or Location – Uses Chrome icon/name to appear legitimate (‘Malware uses Chrome Icon and name’).
[T1516] Input Injection – Mimics user interaction, performing clicks, gestures, typing and other automated UI actions (‘can mimic user interaction, perform clicks and various gestures, and input data’).
[T1417.001] Input Capture: Keylogging – Captures keystrokes and Accessibility events and sends them to C2 (‘Malware can capture keystrokes’ and sends Accessibility logs to ‘/acs/log-event’).
[T1513] Screen Capture – Uses MediaProjection to record the screen and exfiltrate recordings (‘initiates screen recording using Media Projection’ and sends to port 50002).
[T1429] Audio Capture – Records audio from the device and transmits recorded audio to the server (‘doRecordAudio’ sends recorded audio file to the server).
[T1616] Call Control – Can initiate phone calls from the infected device (‘doPhoneCall’ makes a call from the infected device).
[T1422] System Network Configuration Discovery – Collects device IP and SIM information and reports it to C2 (‘Sends infected device’s IP’ and collects telephony info).
[T1509] Non-Standard Port – Communicates with C2 over uncommon ports stored in local DB (56231, 44478, 44479, 45901) (‘malware communicates with the C&C server using ports 56231, 44478, 44479, 45901’).
[T1646] Exfiltration Over C2 Channel – Exfiltrates stolen data (cookies, logs, recordings) over its C2 channel (‘Sending exfiltrated data over C&C server’).

Indicators of Compromise

[SHA256 hashes] Brokewell samples – 2ac038c44f1be53a1b652cafa4eba23af29831c7ebb75aaa00743b11c33665ea, 99f263fa87f13c7e6829dff73cc9c018d5f8165a5a7af3af8bc5ca6d52762ea9, and several other hashes reported.
[URLs / Filenames] Distribution URL and payload – hxxps://www[.]makingitorut[.]com/Chrome/Chrome.apk (Chrome.apk used as trojanized installer).
[Domains] Command-and-control domains – mi6.operationanonrecoil[.]ru (C2), fsb[.]operationvenetic[.]ru (additional C2).
[IP address] C2 host – 91.92.247[.]182 associated with mi6.operationanonrecoil[.]ru.
[Package name] Embedded package identifier – com.brkwl.apkstore (loader/package name used in both loader and trojan samples).

The Brokewell Android Loader embeds its payload APK inside the app resources (/res/raw) and installs it using the Android session-based package installer, avoiding requests for external storage permissions. The loader and trojan share the package name com.brkwl.apkstore; configuration is persisted in a local SQLite DB (implant.db, table tb_config) that stores C2 domains and non-standard ports (e.g., 56231, 44478, 44479, 45901), and the loader supports remote updates and APK installation commands (doInstallPKG, doSelfUpdateAPK).

Brokewell performs environment checks (root detection via multiple su paths and app package checks) and halts on detection, then prompts for Accessibility service access. Once granted, it auto-enables “Display over other apps” and “Unknown sources” and abuses Accessibility to capture UI events (clickable/editable/scrollable/focused), log keystrokes to send to /acs/log-event, and present fake lock PIN overlays (localized strings observed in German and other languages). Overlay attacks load attacker-controlled pages into a WebView (openWebViewInject / setInjectList) and harvest cookies on onPageFinished, transmitting them to /webv/dump-cookies.

The trojan also supports MediaProjection-based screen recording (triggered by doStartProjection, recordings sent to port 50002), audio recording (doRecordAudio), simulated gestures and clicks (doClickElem, doClickXY, doDrawXY), SMS/call abuse (doSendSMS, doPhoneCall), remote shell execution (runSHELL), and anti-analysis/string encryption (AES with a prefixed marker ‘aWlpaWlpaWlpaWlpaWlpa’ removed during decryption). C2 communications use a socket connection and enable extensive remote control and exfiltration capabilities; operators can change C2 addresses via setC2addr.