Android Warning As Brokewell Malware Targets Banking Apps And User Data

Google Chrome is the default browser on Android, and so when a dangerous update is caught spying on users and accessing their accounts, it’s a serious concern…

Another warning has just been issued for the millions of Android users likely to click on links to apps and updates from within messages and emails. Just as we saw in February, a fake Chrome update is tricking users into putting their devices at risk.

We don’t know how many users have fallen victim to this particular attack—but given this is the second fake Chrome approach in just a few weeks, all Android users should consider themselves warned not to click on such Google Chrome update links.

Threat Fabric says that this new Brokewell malware comes “with an extensive set of Device Takeover capabilities… This approach seems innocent (with a carefully crafted page promoting an update for a newer version of the software) and natural (as it occurs during normal browser use) to unsuspecting victims.”

The malware itself is “a previously unseen malware family with a wide range of capabilities,” and these include accessing banking apps and even conducting full or part device takeovers. This new malware is still under development, and new commands are being added “daily.”

Brokewell has also hidden behind alternative APKs to the fake Chrome install, but as we have seen before, presenting under the banner of the default Android browser will hit more users than apps with smaller install bases. Earlier this year, we saw a warning from McAfee that Android users should not click any links that claimed to install Chrome updates on their phones. The risk highlighted there was MoqHao malware, albeit the initial technique was similar.

While tricking its way into your banking apps is bad enough, the malware’s ability to capture everything and anything on your device is worse: “All actions are logged and sent to the command-and-control server, effectively stealing any confidential data displayed or entered on the compromised device.” This means that any app or service on a user’s phone is open to compromise, not just those initially targeted.

Brokewell creates an overlay screen in front of real apps to capture login details. The malware can also steal session cookies—an increasingly common technique to bypass multi-factor authentication by presenting as a trusted user on a different device.

Brokewell’s dropper—the app that’s initially installed by the user and which then downloads the malware itself—bypasses the accessibility protections in Android that are designed to stop just such a side-loading attack.

Threat Fabric warns that the wider distribution of the new dropper behind this attack “will have a significant impact on the threat landscape—more actors will gain the capability to bypass Android restrictions,” which “highlights the ongoing demand for such capabilities among cyber criminals. These actors require this functionality to commit fraud directly on victims' devices, creating a significant challenge for fraud detection tools that heavily rely on device identification or device fingerprinting.”

Threat Fabric expects wider distribution of the new dropper and malware across the usual “underground channels,” which means all Android users who are likely to install apps or updates from outside the official store many be at risk.

Users with Google Play Protect on their devices will be protected from known versions of this malware, but the usual rules still apply:

1. Stick to official app stores—don’t use third-party stores and never change your device’s security settings to enable an app to load; also ensure Google Play Protect is enabled on your device.
2. Check the developer in the app’s description—is it someone you’d like inside your life? And check the reviews, do they look legitimate or farmed?
3. Do not grant permissions to an app that it should not need: torches and star-gazing apps don’t need access to your contacts and phone. And never grant accessibility permissions that facilitate device control unless you have a need.
4. Never ever click links in emails or messages that directly download apps or updates—always use app stores for installs and updates.
5. Do not install apps that link to established apps like Chrome unless you know for a fact they’re legitimate—check reviews and online write-ups.