Connect with us

Hi, what are you looking for?


Malware & Threats

Powerful ‘Brokewell’ Android Trojan Allows Attackers to Takeover Devices

A new Android trojan named Brokewell can steal user’s sensitive information and allows attackers to take over devices.

Android security

A newly identified Android trojan can steal user information and provide attackers with the ability to take control of infected devices, threat detection company ThreatFabric reports.

Dubbed Brokewell, the trojan includes all the capabilities of mobile banking malware, while also providing attackers with remote access to devices.

Brokewell is being distributed via fake application updates, such as newer Chrome browser iterations and updates for an Austrian digital authentication application.

To harvest the victim’s credentials, the malware overlays fake windows over the targeted mobile applications. Furthermore, it can steal browser cookies by launching its own WebView, loading the legitimate site, and dumping session cookies after the user completes the login process.

Additionally, ThreatFabric discovered that Brokewell has an accessibility logging capability, which allows it to capture device events such as touches, swipes, text input, opened applications, and information being displayed on the screen.

The malware harvests all this information and sends it to a command-and-control (C&C) server, giving the threat actors a trove of stolen data.

“It’s important to highlight that, in this case, any application is at risk of data compromise: Brokewell logs every event, posing a threat to all applications installed on the device,” ThreatFabric points out.

The malware also packs spyware capabilities, collecting information about the device and stealing data such as call history and geolocation, along with the ability to record audio.

Advertisement. Scroll to continue reading.

Brokewell can also perform screen streaming, and supports various commands that allow the attackers to take full control over the infected device and perform various actions on the screen, including touches, swipes, clicks, scrolls, text input, and more.

ThreatFabric discovered that one of the malware’s C&C servers was also used to host a repository called Brokewell Cyber Labs, which contained the source code for a ‘Brokewell Android Loader’ and that both were developed by a threat actor called Baron Samedit.

The loader is capable of bypassing existing Android 13 and newer restrictions on using Accessibility Service for application sideloading, potentially allowing multiple actors to include the capability in their malware.

Baron Samedit has been active for at least two years, providing cybercriminals with tools to check stolen accounts from multiple services.

“We anticipate further evolution of this malware family, as we’ve already observed almost daily updates to the malware. Brokewell will likely be promoted on underground channels as a rental service, attracting the interest of other cybercriminals and sparking new campaigns targeting different regions,” ThreatFabric concludes.

“Android users are automatically protected against known versions of this malware by Google Play Protect, which is on by default on Android devices with Google Play Services. Google Play Protect can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Play,” a Google spokesperson told SecurityWeek.

*Updated with statement from Google

Related: ‘Vultur’ Android Malware Gets Extensive Device Interaction Capabilities

Related: Chameleon Android Malware Can Bypass Biometric Security

Related:BouldSpy’ Android Malware Used in Iranian Government Surveillance Operation

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


The AI Risk Summit brings together security and risk management executives, AI researchers, policy makers, software developers and influential business and government stakeholders.


People on the Move

Merlin Ventures has appointed cybersecurity executive Andrew Smeaton as the firm’s CISO-in-Residence.

Retired U.S. Army General and former NSA Director Paul M. Nakasone has joined the Board of Directors at OpenAI.

NSA has announced Kristina Walter as the new chief of the agency's Cybersecurity Collaboration Center.

More People On The Move

Expert Insights