How Google Chrome updates help you remotely control a victim's phone.
ThreatFabric identified it A new malicious application called Brokewell that can record every action on your device, from tapping to typing and launching apps. The Trojan is distributed via a fake update Google Chrome in the browser and affects Android-users.
Brokewell is under active development and has extensive capabilities for device capture and remote management. Fraudsters have already used the Trojan to disguise themselves as financial services operating on the "buy now, pay later" model (for example, Klarna), as well as under the Austrian application for digital authentication ID Austria.
Real page for downloading Google Chrome (left) and a fake page for downloading updates Chrome (on the right)
The main functions of Brokewell include data theft and providing remote access to intruders:
Device Capture capabilities:
In addition, the researchers identified a new tool called Brokewell Android Loader, developed by the same person known as Baron Samedit. The bootloader is used to bypass the restrictions introduced in Android 13, which were supposed to prevent abuse of the accessibility service by applications installed from unofficial sources.
Experts warn that the ability to capture devices is in high demand among cybercriminals, as it allows you to perform fraudulent operations directly from the victim's device, which complicates detection. To protect yourself from such threats, it is recommended not to download apps and updates outside the official Google Play store and activate the Play Protect function.
ThreatFabric identified it A new malicious application called Brokewell that can record every action on your device, from tapping to typing and launching apps. The Trojan is distributed via a fake update Google Chrome in the browser and affects Android-users.
Brokewell is under active development and has extensive capabilities for device capture and remote management. Fraudsters have already used the Trojan to disguise themselves as financial services operating on the "buy now, pay later" model (for example, Klarna), as well as under the Austrian application for digital authentication ID Austria.
Real page for downloading Google Chrome (left) and a fake page for downloading updates Chrome (on the right)
The main functions of Brokewell include data theft and providing remote access to intruders:
- Simulate login screens to steal credentials;
- Interception and extraction of cookies via the native WebView interface after the user logs in to a legitimate site;
- Capture user interaction with the device, including taps, swipes, and text input, to steal input data;
- Collecting information about the hardware and software characteristics of the device;
- Access to the call log and device geolocation;
- Record audio via the device's microphone.
Device Capture capabilities:
- Real-time display of the device screen;
- Performing touch and swipe gestures on an infected device;
- Remote click on screen elements;
- Enter text in the specified fields and simulate clicking system buttons.
In addition, the researchers identified a new tool called Brokewell Android Loader, developed by the same person known as Baron Samedit. The bootloader is used to bypass the restrictions introduced in Android 13, which were supposed to prevent abuse of the accessibility service by applications installed from unofficial sources.
Experts warn that the ability to capture devices is in high demand among cybercriminals, as it allows you to perform fraudulent operations directly from the victim's device, which complicates detection. To protect yourself from such threats, it is recommended not to download apps and updates outside the official Google Play store and activate the Play Protect function.
