Android Banking Trojan “Brokewell” Disguised as Official Chrome Update Page: CRIL Researchers

Researchers at CRIL have uncovered a new android banking trojan called ‘Brokewell’ that is being spread through a phishing site posing as the official Chrome update page. This malicious trojan is equipped with dangerous functionalities like screen recording, keylogging, and over 50 remote commands.

Further investigation led the researchers back to the developer behind the trojan, who boasted about its ability to bypass permission restrictions on the latest Android operating system versions. The trojan was traced back to a domain named “hxxp://makingitorut[.]com,” masquerading as the Chrome update website.

Once users are lured to download the supposed Chrome update, they unwittingly download the malicious APK file “Chrome.apk” onto their devices. This file contains the powerful android banking trojan, capable of executing various remote commands like collecting telephony data, call history, location tracking, and screen recording.

The trojan is connected to a remote command and control server operating through the domain “mi6[.]operationanonrecoil[.]ru.” Through a git repository, researchers discovered that the trojan can bypass permission-based restrictions on Android versions 13, 14, and 15.

While the current version of the Brokewell Banking Trojan is basic, utilizing screen overlay attacks and keylogging, researchers warn that future iterations may include more sophisticated features. The trojan also employs tactics to detect rooted devices before executing and uses German localization to prompt users to input their device PIN.

With the prospect of international expansion and continuous development, the threat of android banking trojans like ‘Brokewell’ highlights the importance of staying vigilant against cybercriminal activities and the need for ongoing monitoring and defense measures.