Security researchers at ThreatFabric have discovered a sophisticated Android malware campaign distributing the "Brokewell" trojan through fake Chrome browser update notifications, targeting banking applications across 14 countries including the United States.
How the Attack Works
The malware chain begins with convincing overlay notifications that mimic legitimate Chrome update prompts on Android devices.
- Fake update overlay captures credentials for 78 banking apps across US, UK, EU, and Australia
- Malware captures screen recordings during banking sessions including 2FA codes
- Accessibility service abuse allows complete device takeover without user awareness
- Distribution through SEO-poisoned websites and malicious Google Ads
Protection
Google has removed identified malicious ads and updated Play Protect to detect Brokewell variants. Users should only update Chrome through the Google Play Store, never through browser pop-ups or links. Banking apps with biometric-only authentication are immune to the credential capture technique used by this malware family.
