Keypoints
- Brokewell is an Android banking trojan delivered through fake Google Chrome update pages that tricks users into installing malicious APKs.
- The threat actor identified as Baron Samedit developed Brokewell and a separate Brokewell Android Loader used by multiple cybercriminals.
- Brokewell steals credentials via overlay login screens and uses a built-in WebView to intercept and extract session cookies.
- The malware captures user interactions (taps, swipes, text input), device metadata, call logs, location, and audio from the microphone.
- Brokewell provides real-time screen streaming and remote control features (remote touch/swipe, clicks, scrolling, typing, simulated button presses, and setting adjustments).
- The Brokewell Android Loader can bypass Android 13+ restrictions intended to block granting Accessibility Service access to side-loaded apps.
- Researchers warn Brokewell is likely to be further developed and offered via malware-as-a-service, increasing its deployment risk.
MITRE Techniques
- [T1204] User Execution – Delivered via social-engineering lure: ‘The malware is delivered through a fake Google Chrome update.’
- [T1056] Input Capture – Captures user interactions to steal sensitive inputs: ‘captures the victim’s interaction with the device, including taps, swipes, and text inputs.’
- [T1113] Screen Capture – Streams the device display in real time to attackers: ‘Allows the attacker to see the device’s screen in real-time (screen streaming).’
- [T1539] Steal Web Session Cookie – Intercepts web session data via embedded WebView: ‘Uses its own WebView to intercept and extract cookies after a user logs into a legitimate site.’
- [T1548] Abuse Elevation Control Mechanism – Bypasses platform restrictions to gain Accessibility privileges: ‘this loader can bypass the restrictions Google introduced in Android 13 and later to prevent abuse of Accessibility Service for side-loaded apps.’
- [T1071] Application Layer Protocol – Uses hosted servers for command-and-control and loader distribution: ‘The tool was hosted on one of the servers acting as command and control server for Brokewell.’
- [T1041] Exfiltration Over C2 – Exfiltrates harvested data and device artifacts via C2 channels: ‘Brokewell’s main capabilities are to steal data and offer remote control to attackers.’
Indicators of Compromise
- [APK files] Distribution samples – fake Chrome update APK, ID Austria–themed APK used to drop Brokewell (article shows APKs used for distributing Brokewell; specific filenames not disclosed).
- [Command-and-control servers] Loader/C2 hosting – Brokewell Android Loader was hosted on a server acting as a C2 for Brokewell (exact URLs/IPs not published in the article).
- [Targeted services / impersonation] Impersonation context – Klarna (targeted “buy now, pay later” services) and ID Austria (malware masqueraded as this authentication app).
Researchers found Brokewell distributed through malicious APKs served by fake Google Chrome update pages; when installed, the payload requests Accessibility privileges (with the help of a loader that bypasses Android 13+ safeguards) to enable broad device control. The loader is hosted on infrastructure that also serves as command-and-control for Brokewell, allowing operators to deliver modules and issue live commands.
Once active, Brokewell performs credential theft via overlay screens and a built-in WebView that intercepts and extracts session cookies, while simultaneously capturing user input events (taps, swipes, text) and harvesting device metadata, call logs, location, and microphone audio. It supports real-time screen streaming and remote interaction primitives: simulated touches, swipes, clicks at coordinates, scrolling, typed input into fields, simulated hardware button presses, and adjustments to device settings (brightness, volume), enabling attackers to perform fraud directly from the victim device.
The Brokewell Android Loader specifically abuses methods to circumvent Android’s Accessibility Service restrictions introduced in Android 13, making side-loaded apps able to request and obtain the elevated access needed for these takeover functions. Researchers warn these loader techniques and device-takeover features are increasingly packaged as services for other criminals, increasing the risk and scale of deployments; prevention focuses on avoiding side-loaded APKs and keeping Play Protect enabled.