One Article Review
| Source |  Techworm |
|---|---|
| Identifiant | 8490777 |
| Date de publication | 2024-04-29 22:01:20 (vue: 2024-04-29 17:08:29) |
| Titre | Android malware hacks bancs comptes bancs avec de fausses invites à la mise à jour chromée Android Malware Hacks Bank Accounts With Fake Chrome Update Prompts |
| Texte | Security researchers have discovered a new Android banking trojan that can steal users’ sensitive information and allow attackers to remotely control infected devices. “Brokewell is a typical modern banking malware equipped with both data-stealing and remote-control capabilities built into the malware,” Dutch security firm ThreatFabric said in an analysis published on Thursday. According to ThreatFabric, Brokewell poses a significant threat to the banking industry, providing attackers with remote access to all assets available through mobile banking. The malware was discovered by the researchers while investigating a fake Google Chrome web browser “update” page, commonly used by cybercriminals to lure victims into downloading and installing malware. Looking at prior campaigns, the researchers found that Brokewell was used to target a popular “buy now, pay later” financial service and an Austrian digital authentication application. The malware is said to be in active development, with new commands added almost daily to capture every event on the device, from keystrokes and information displayed on screen to text entries and apps launched by the victim. Once downloaded, Brokewell creates an overlay screen on a targeted application to capture user credentials. It can also steal browser cookies by launching its own WebView, overriding the onPageFinished method, and dumping the session cookies after the user completes the login process. “Brokewell is equipped with “accessibility logging,” capturing every event happening on the device: touches, swipes, information displayed, text input, and applications opened. All actions are logged and sent to the command-and-control server, effectively stealing any confidential data displayed or entered on the compromised device,” the ThreatFabric researchers point out. “It\'s important to highlight that, in this case, any application is at risk of data compromise: Brokewell logs every event, posing a threat to all applications installed on the device. This piece of malware also supports a variety of “spyware” functionalities: it can collect information about the device, call history, geolocation, and record audio.” After stealing the credentials, the attackers can initiate a Device Takeover attack using remote control capabilities to perform screen streaming. It also provides the threat actor with a range of various commands that can be executed on the controlled device, such as touches, swipes, and clicks on specified elements. ThreatFabric discovered that one of the servers used as a command and control (C2) point for Brokewell was also used to host a repository called “Brokewell Cyber Labs,” created by a threat actor called “Baron Samedit.” This repository comprised the source code for the “Brokewell Android Loader,” another tool from the same developer designed to bypass restrictions Google introduced in Android 13 and later to prevent exploitation of Accessibility Service for side-loaded apps (APKs). According to ThreatFabric, Baron Samedit has been active for at least two years, providing tools to other cybercriminals to check stolen accounts from multiple services, which could still be improved to support a malware-as-a-service operation. “We anticipate further evolution of this malware family, as we’ve already observed almost daily updates to the malware. Brokewell will likely be promoted on underground channels as a rental service, attracting the interest of other cybercriminals and sparking new campaigns targeting different regions,” the researchers conclude. Hence, the only way to effectively identify and prevent potential fraud from malware families like the newly discovered Brokewell is to use a comprehensive |
| Envoyé | Oui |
| Condensat | “baron “brokewell “buy ” capturing about access accessibility according accounts actions active actor added additional additionally advisable after against all allow almost already also analysis android another anticipate antivirus any apks app application applications apps are assets attack attackers attracting audio austrian authentication automatically available avoid bank banking baron based been behavior blocks both brokewell brokewell was browser built bypass call called campaigns can capabilities capture case cautious channels check chrome clicks code collect combination come command commands commonly completes comprehensive comprised compromise: compromised conclude confidential confirmed consider control controlled cookies could created creates credentials current customer cyber cybercriminals daily data default designed detection developer development device device: devices different digital discovered displayed download downloaded downloading dumping dutch each effectively elements enabled entered entries equipped even event every evolution executed exhibit exploitation fake families family financial firm found fraud from further geolocation giving google google introduced hacks happening has have hence highlight history host identify identity important improved including indicators industry infected infections information initiate input install installed installing interest investigating its keep keystrokes known labs later later” launched launching layered least like likely loaded loader logged logging login logs looking lure malicious malware may messages method mobile modern multi multiple new newly not now observed of “spyware” functionalities: once one only onpagefinished opened opening operation order other out outside overlay overriding own page pay perform permissions phone piece play point popular poses posing potential prevent prior process promoted prompts protect protects provides providing published range record regions remote remotely rental repository researchers restrictions risk risks said same samedit scan screen security securityweek sensitive sent server servers service services session short side sideloading significant software solution source sources sparking specified steal stealing stolen store streaming such support supports swipes takeover target targeted targeting text those threat threatfabric threatfabric said in through thursday times tool tools touches to effectively trojan two typical underground update updates urls use used user users users’ using variety various versions very victim victims warns way we’ve web webview when which will with “accessibility years your yourself “brokewell “it “update” “we |
| Tags | Malware Tool Threat Mobile |
| Stories | |
| Notes | ★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.