Brokewell¶
Brokewell is an Android banking trojan discovered by ThreatFabric in April 2024 that combines extensive data-stealing capabilities with full remote-control functionality. Attributed to a developer operating under the alias "Baron Samedit Marais" through an entity called "Brokewell Cyber Labs," the malware is distributed through fake browser update pages impersonating Google Chrome. Under rapid and active development with new commands added almost daily, Brokewell represents a significant emerging threat to mobile banking security, with reverse engineering revealing code-level connections to the Herodotus banking trojan.
Overview¶
| Attribute | Details |
|---|---|
| First Seen | April 2024 |
| Status | Active, under rapid development |
| Type | Banking trojan, data stealer, RAT |
| Aliases | None known |
| Attribution | "Baron Samedit Marais" / "Brokewell Cyber Labs" |
| Distribution | Fake Chrome update pages, fake ID Austria app, fake Klarna app |
Origin and Lineage¶
ThreatFabric discovered Brokewell in April 2024 while analyzing a fake Chrome browser update page designed to trick users into downloading a malicious APK. Investigation of the sample revealed a previously undocumented malware family with a broad range of capabilities that appeared to be under very active development.
Attribution traces back to an individual using the alias "Baron Samedit Marais," who operates under the name "Brokewell Cyber Labs." ThreatFabric identified this developer through artifacts left in the malware's code and associated infrastructure. The developer maintained a public repository of tools, suggesting confidence in operating openly within the underground ecosystem.
Reverse engineering of Brokewell revealed shared obfuscation techniques and code structures with Herodotus, a MaaS banking trojan discovered later in October 2025. Herodotus dynamically loads a Brokewell module at runtime, establishing a direct code-level connection between the two families. Despite these links, Herodotus is attributed to a different threat actor ("K1R0"), indicating that Brokewell's codebase has been adopted or licensed by other operators rather than representing a simple rebrand.
Distribution¶
| Vector | Details |
|---|---|
| Fake Chrome updates | Phishing pages mimicking Google Chrome's update interface |
| Fake ID Austria app | Impersonates Austria's digital identity application |
| Fake Klarna app | Impersonates the Klarna shopping and payments platform |
ThreatFabric documented the primary distribution method as fake browser update pages that closely replicate the legitimate Chrome update flow. Victims encounter these pages through malicious redirects or phishing links and are prompted to download what appears to be a critical browser update. The malware has also been observed masquerading as the ID Austria digital identity app and the Klarna financial services app, indicating the operators tailor their lures to specific regional targets.
Capabilities¶
Core Features¶
| Capability | Implementation |
|---|---|
| Overlay attacks | WebView-based inject screens triggered when target banking apps are opened |
| Cookie theft | Launches a WebView loading the target site, then extracts session cookies after authentication |
| Audio recording | Captures ambient audio from the device microphone |
| Screenshot capture | Takes screenshots of the current display on demand |
| Device location | Collects GPS coordinates and location data |
| SMS access | Reads and exfiltrates SMS messages stored on the device |
| Call log access | Harvests call history including numbers, durations, and timestamps |
| Event logging | Records all accessibility events including taps, swipes, text input, and app interactions |
| Remote control | Full interactive device control via screen streaming and command execution |
Permissions¶
| Permission | Purpose |
|---|---|
| BIND_ACCESSIBILITY_SERVICE | Event logging, credential capture, remote UI interaction |
| SYSTEM_ALERT_WINDOW | Overlay injection windows over banking apps |
| READ_SMS | SMS exfiltration |
| READ_CONTACTS | Contact list harvesting |
| READ_CALL_LOG | Call history exfiltration |
| READ_PHONE_STATE | Device fingerprinting |
| CAMERA | Screenshot capture |
| RECORD_AUDIO | Ambient audio recording |
| ACCESS_FINE_LOCATION | GPS location tracking |
| INTERNET | C2 communication |
| FOREGROUND_SERVICE | Persistent background service |
| RECEIVE_BOOT_COMPLETED | Restart after reboot |
| REQUEST_INSTALL_PACKAGES | Loader installs main payload |
| WAKE_LOCK | Keep device awake during remote sessions |
Data Theft¶
Brokewell's data-stealing capabilities extend well beyond traditional banking trojans. The malware logs every interaction the victim makes with the device through accessibility event monitoring, capturing text typed into any app, elements displayed on screen, and applications opened. This comprehensive event logging builds a complete picture of the victim's device usage.
The cookie theft mechanism is particularly notable. Rather than intercepting cookies in transit, Brokewell launches its own WebView instance pointed at a target site (such as accounts.google.com), allows the victim to authenticate normally, then extracts the session cookies from the WebView. This gives operators authenticated session tokens they can use to access victim accounts from their own infrastructure.
Remote Control¶
The remote access module provides operators with full interactive control of the infected device:
- Screen streaming transmits the device display to the operator in real time
- Touch simulation allows the operator to perform taps and swipes at arbitrary coordinates
- Text input enables the operator to type into any field on the device
- Scroll and navigation commands let the operator move through apps and menus
- Hardware button simulation triggers back, home, and recent apps actions
Technical Details¶
Loader Architecture¶
ThreatFabric's analysis revealed that Brokewell uses a loader to bypass Android 13+ restrictions on accessibility service permissions for sideloaded apps. The loader installs the main payload and requests the necessary permissions, working around the protections Google introduced to prevent sideloaded applications from gaining accessibility access.
Rapid Development Cycle¶
One of Brokewell's most distinguishing characteristics is its development velocity. ThreatFabric observed new commands and capabilities being added to the malware almost daily, with each new version expanding the command set. This cadence suggests a dedicated developer actively building out the platform rather than maintaining a stable, mature product.
C2 Communication¶
The malware communicates with its command-and-control infrastructure to receive commands, exfiltrate stolen data, and stream the device screen for remote access sessions. Configuration and targeting data, including overlay inject pages for banking apps, are served from the C2.
C2 Infrastructure¶
| Component | Details |
|---|---|
| Protocol | HTTPS for command polling and data exfiltration |
| Screen streaming | Real-time device display streamed to operator panel |
| Overlay delivery | Inject HTML templates served from C2 for WebView rendering |
| Cookie exfiltration | Session cookies from WebView instances transmitted to C2 |
| Command dispatch | Growing command set expanded near-daily during active development |
| Attribution artifacts | Developer maintained public repository of tooling linked to "Brokewell Cyber Labs" |
Target Regions¶
| Period | Primary Targets |
|---|---|
| April 2024 | Austrian banking users (ID Austria lure) |
| 2024 | European banking users broadly (Chrome update, Klarna lures) |
The initial campaigns used lures specific to Austrian users (the ID Austria digital identity app), but the Chrome update and Klarna lures indicate broader European targeting. Given the rapid development pace and expanding feature set, the target scope is expected to grow as the malware matures.
Notable Campaigns¶
April 2024: ThreatFabric disclosed Brokewell after discovering it distributed through fake Chrome update pages. Analysis revealed a fully functional banking trojan with data-stealing and remote-control capabilities under rapid development. The developer was identified as "Baron Samedit Marais" operating "Brokewell Cyber Labs," with a public repository of tooling associated with the operation.
2024 (ongoing): Continued development with near-daily updates expanding the command set and capability matrix. Additional distribution lures including fake ID Austria and Klarna apps were identified, demonstrating campaign diversification alongside technical development.
October 2025: ThreatFabric documented Herodotus, a MaaS banking trojan attributed to a different actor ("K1R0") that dynamically loads a Brokewell module at runtime. This confirmed that Brokewell's codebase had been adopted or licensed by other operators, extending its reach beyond the original developer.
Evolution¶
| Phase | Period | Key Changes |
|---|---|---|
| Initial | April 2024 | Full banking trojan with overlays, cookie theft, audio recording, screen streaming, remote control |
| Rapid iteration | Mid-2024 | Near-daily command additions, lure diversification (ID Austria, Klarna) |
| Codebase adoption | October 2025 | Herodotus loads Brokewell module, establishing cross-family code reuse |
Detection¶
| Indicator Type | Details |
|---|---|
| Comprehensive accessibility logging | App logging all accessibility events (taps, swipes, text input, app switches) |
| Cookie theft WebView | App launching WebViews for authentication sites (accounts.google.com) without user-visible browser UI |
| Audio recording | Background microphone access from a browser update or utility app |
| Screen streaming | Persistent outbound data consistent with screen capture streaming |
| Loader behavior | APK bypassing Android 13+ accessibility restrictions for sideloaded applications |
| Fake update UI | Chrome update page rendered in a WebView prompting APK download |
Related Families¶
| Family | Relationship |
|---|---|
| Herodotus | Shares obfuscation techniques and code structures. Herodotus dynamically loads a Brokewell module, establishing direct code-level links between the two families. |
| Octo | Both pioneer screen streaming for on-device fraud. Octo uses MediaProjection at 1 fps; Brokewell uses a comparable approach with accessibility event logging for richer context. |
| Hook | Both combine overlay attacks with full remote device control, though Hook derives from the Cerberus lineage while Brokewell is independently developed. |
| Vultur | Both use screen recording/streaming for remote access, with Vultur pioneering the approach via AlphaVNC. |