Would Brokewell malware be blocked by Bitdefender?

Nunzio77
Nunzio77 Defender of the month mod
edited May 6 in Mobile Security

Good morning,
reading some news on the new malware for Android "Brokwell" it would be interesting to understand if the AV Bitdefender Mobile Security with the "App Anomaly Detection" functionality would be able to find it, block it and eliminate it. This malware evades almost all Android AVs (even Google Play Protection) and is also not detected on Virus Total, thus evading anti-malware signatures.
But BDSM behavioral analysis may notice this mlaware. A test or analysis on this new type of Android malware would be interesting.

https://www.threatfabric.com/blogs/brokewell-do-not-go-broke-by-new-banking-malware

@agozob what do you think?

Thanks!

Nunzio ·

Bitdefender Plus, Windows 10 Pro-32 Bit, CPU Intel Core2 Duo T7500, RAM 4 Gb - Bitdefender Mobile Security

Comments

  • Flexx
    Flexx mod

    The blog you shared contains hashes of malware that are already detected by Bitdefender, with BitdefenderFalx being the Android engine.

    https://www.virustotal.com/gui/file/d807070973bde0d85f260950dc764e46a0ba486f62da3e62f3b229ca3ea322f1

    https://www.virustotal.com/gui/file/00d35cf5af2431179b24002b3a4c7fb115380ebda496d78849bf3d10055d8a88

    Regards

    Life happens, Coffee helps!

    Show your Attitude, when you reach that Altitude!

    Bitdefender Ultimate Security Plus (user)

  • Nunzio77
    Nunzio77 Defender of the month mod

    It would have been interesting to test this when it turned out that no AVs had signatures

    Nunzio ·

    Bitdefender Plus, Windows 10 Pro-32 Bit, CPU Intel Core2 Duo T7500, RAM 4 Gb - Bitdefender Mobile Security

  • Flexx
    Flexx mod

    That's a good idea, but in my opinion, based on assumptions, the behavior blocker may not work 😂

    Regards

    Life happens, Coffee helps!

    Show your Attitude, when you reach that Altitude!

    Bitdefender Ultimate Security Plus (user)

  • agozob
    agozob Team Lead, Cyber Threat Intelligence Lab BD Staff

    Hi @Nunzio77,

    Brokewell does perform quite a few suspicious actions after installation which would have triggered App Anomaly Detection even before this type of malware was known and detected by signatures, according to our tests. For instance, right after it's installed it asks the user to enable its Accessibility Service, after which it quickly grants itself a multitude of other permissions. There are also visual indicators of "anomalies" such as the overlays used for phishing (as mentioned in the article), which AAD is also able to identify.

    Unfortunately for us but fortunately for our users, we only noticed a handful of Brokewell samples on devices of our users. Telemetry indicates the fact that they were detected by our scan engine before they had the chance to be run by the user.

    @Flexx it's not unusual for sophisticated malware such as this to have some sort of uninstall protection which makes it trickier, but not impossible, to get rid of it. The user would still be alerted about the app's abnormal activity and I think that's very useful, because it makes them aware of the infection. That way they can, for instance, switch to airplane mode or turn off the device so that the malware is unable to communicate with the C&C server until they figure out how to get rid of the app (e.g. by booting into Safe Mode or using ADB).

  • Nunzio77
    Nunzio77 Defender of the month mod

    Thanks @agozob was what I imagined, how AAD would behave. Show! 😀
    An excellent level of protection and I believe it is currently the only one on the other mobile AV market.

    Thanks for the very detailed information.😉

    Nunzio ·

    Bitdefender Plus, Windows 10 Pro-32 Bit, CPU Intel Core2 Duo T7500, RAM 4 Gb - Bitdefender Mobile Security

  • agozob
    agozob Team Lead, Cyber Threat Intelligence Lab BD Staff

    I'm glad I could help and very happy to see such feedback about the feature :)

    Thank you!