CRIL Researchers observed a new android banking trojan 'Brokewell,' being distributed through a phishing site disguised as the official Chrome update page.
The malicious Android Banking Trojan comes equipped with various functionalities such as screen recording, keylogging and over 50 different remote commands.
Upon further investigation, researchers were able to trace the trojan back to its developer, who described the trojan as capable of bypassing permission restrictions on the latest versions of the Android operating system.
Developer Behind Android Banking Trojan Found Distributing Other Spyware Tools
CRIL researchers
identified the trojan being distributed through the domain βhxxp://makingitorut[.]comβ which disguises itself as the official
Chrome update website and bears several striking similarities.
[caption id="attachment_65312" align="alignnone" width="1557"]
Source: Cyble[/caption]
The site deceives the user into thinking that an update is required, describing it as being necessary "to secure your browser and fix important
vulnerabilities. A download button on the site
leads users to download the malicious APK file βChrome.apkβ on to their systems.
Upon
examination, the downloaded APK file was discovered to be a new android banking trojan, incorporated with over 50 different remote commands such as collecting telephony data, collecting call history, waking the device screen, location gathering, call management, screen and audio recording.
The trojan
communicated through a remote command and control (C&C) server operating through the βmi6[.]operationanonrecoil[.]ruβ domain and hosted on the
IP address β91.92.247[.]182β.
[caption id="attachment_65315" align="alignnone" width="1354"]
Source: Cyble[/caption]
The
malware was further linked to a git repository, where it was described as being capable of circumventing permission-based restrictions on Android versions 13, 14, and 15. The git repository contained links to profiles on underground forums, a Tor page, and a
Telegram channel.
The Tor page directed to the malware developersβs personal page, where they took steps to introduce themselves and linked to a site listing various other projects they had developed such as checkers, validators, stealers, and
ransomware. Since CRIL researchers did not observe any mentions of the android banking trojan on the site, it is assumed that the trojan is a very recent development which might be listed within the upcoming days.
Technical Capabilities of Android Banking Trojan "Brokewell"
[caption id="attachment_65324" align="alignnone" width="1501"]
Source: Shutterstock[/caption]
Researchers note that the Brokewll Banking Trojan
is likely in its initial stages of development and thus possesses limited functionalities for the time period. The current attack techniques primarily involves the screen overlay attack, screen/audio capturing or keylogging techniques. However, researchers warn that future versions of the android banking trojan may incorporate additional features.
The malware is observed conducting a pre-emptive check to determine whether the host system has been rooted. This stage involves checking for package names of a root
check application, network traffic analysis tool and an .apk parsing tool.
Once the device is detected to not be rooted, it proceeds with normal execution, first prompting the
victim for accessibility permissions. The accessibility service is then abused to grant the
application other permissions such as βDisplay over other appsβ βInstallation from unknown sourcesβ.
[caption id="attachment_65319" align="alignnone" width="385"]
Source: Cyble[/caption]
After obtaining permissions, the application prompts the user to enter the device pin through a fake PIN screen with German localization. The PIN is then stored to a text file for subsequent usage. The German localization along with several samples of the malware being uploaded to VirusTotal from the German region lead researchers to believe that it is primarily targeting Germany.
In addition to German, several strings in Chinese, French, Finnish, Arabic, Indonesian, Swedish, Portuguese, and English were also spotted. These strings suggest that the malware could expand its targets with the emergence of subsequent iterations incorporating additional features.
Researchers anticipate increased promotion of the tool on
underground forums and through the malware developerβs product portal, underscoring the progressive stage of banking trojans and the need for continuous monitoring over such developments.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.