Re: Apple zero-day hole in MarketplaceKit tracks iOS users & the fix breaks alternative marketplace

On 2024-05-15, Andrew <andrew@spam.net> wrote:

On Monday, Apple backported the patch for CVE-2024-23296 to the iOS 16
branch and has fixed another hole Apple QA missed (yet again)

New Brokewell malware takes over Android devices, steals data

Security researchers have discovered a new Android banking trojan they
named Brokewell that can capture every event on the device, from touches
and information displayed to text input and the applications the user
launches.

The malware is delivered through a fake Google Chrome update that is
shown while using the web browser. Brokewell is under active development
and features a mix of extensive device takeover and remote control
capabilities.

Brokewell details

Researchers at fraud risk company ThreatFabric found Brokewell after
investigating a fake Chrome update page that dropped a payload, a common
method for tricking unsuspecting users into installing malware.

Looking at past campaigns, the researchers found that Brokewell had been
used before to target "buy now, pay later" financial services (e.g.
Klarna) and masquarading as an Austrian digital authentication
application called ID Austria.

Brokewell's main capabilities are to steal data and offer remote control
to attackers.

Data stealing:

- Mimics the login screens of targeted applications to steal credentials
  (overlay attacks).
- Uses its own WebView to intercept and extract cookies after a user
  logs into a legitimate site.
- Captures the victim's interaction with the device, including taps,
  swipes, and text inputs, to steal sensitive data displayed or entered
  on the device.
- Gathers hardware and software details about the device.
- Retrieves the call logs.
- Determines the physical location of the device.
- Captures audio using the device's microphone.

Device takeover:

- Allows the attacker to see the device's screen in real-time (screen
  streaming).
- Executes touch and swipe gestures remotely on the infected device.
- Allows remote clicking on specified screen elements or coordinates.
- Enables remote scrolling within elements and typing text into
  specified fields.
- Simulates physical button presses like Back, Home, and Recents.
- Activates the device's screen remotely to make any info available for
  capture.
- Adjusts settings like brightness and volume all the way down to zero.

New threat actor and loader

ThreatFabric reports that the developer behind Brokewell is an
individual calling themselves Baron Samedit, who for at least two years
had been selling tools for checking stolen accounts.

The researchers discovered another tool called "Brokewell Android
Loader," also developed by Samedit. The tool was hosted on one of the
servers acting as command and control server for Brokewell and it is
used by multiple cybercriminals.

Interestingly, this loader can bypass the restrictions Google introduced
in Android 13 and later to prevent abuse of Accessibility Service for
side-loaded apps (APKs).

This bypass has been an issue since mid-2022 and became a bigger problem
in late 2023 with the availability of dropper-as-a-service (DaaS)
operations offering it as part of their service, as well as malware
incorporating the techniques into their custom loaders.

As highlighted with Brokewell, loaders that bypass restrictions to
prevent granting Accessibility Service access to APKs downloaded from
shady sources have now become common and widely deployed in the wild.

Security researchers warn that device takeover capabilities such as
those avaialble in the Brokewell banker for Android are in high demand
among cybercriminals because it allows them to perform the fraud from
the victim's device, thus evading fraud evaluation and detection tools.

--
E-mail sent to this address may be devoured by my ravenous SPAM filter.
I often ignore posts from Google. Use a real news client instead.

JR