- 28/2026
- Critical
This report outlines the shared operational methodologies of advanced Mobile Malware, such as Brokewell, Anubis and Albiriox families. These threats represent a shift from simple credential harvesting to full device takeover through the systematic exploitation of the Mobile Accessibility Framework.
The “Accessibility Service” is a powerful background framework intended to assist users with disabilities by allowing applications to read screen content and interact with UI elements on the user’s behalf. Malware families like Brokewell, Anubis and Albiriox weaponize this framework to bypass standard security boundaries, such as:
- Bypassing Security Restrictions: Modern iterations of this malware, such as Brokewell, include custom “loaders” specifically designed to circumvent Android 13+ “Restricted Settings” that normally prevent sideloaded apps from accessing these sensitive permissions.
- Privilege Escalation: Once the service is enabled, the malware can programmatically grant itself additional high-level system permissions (like SMS and Call Log access) without requiring further user interaction.
- Persistence and Protection: These services are often configured to monitor system settings; if a user attempts to disable the malware or revoke its permissions, the service can automatically trigger “Back” or “Home” commands to prevent the action.
- Automated Data Harvesting: The malware logs every UI event and text change, effectively acting as a system-wide keylogger that captures passcodes, login credentials, and session cookies from all installed applications. Remote Access and “Ghost” Interaction: By abusing accessibility commands, attackers can live-stream the device screen and simulate touch gestures (taps and swipes).
- Overlay Attacks: The malware detects when a targeted financial application is opened and steal credentials in real-time or display a fake system interface that is used to distract the victim and conceal unauthorized application activity occurring in the background.
Mitigations
The following controls are relevant to the Mobile Applications Scope. Constituents are mandated to assess their current Mobile Applications, and provide CBE-Cyber- Security-CSRAT with the current status of fulfilling the below mentioned controls.
In case of failuare/absence of one of the mentioned controls, gap anaylsis with the compensating controls is required to be provided to CBE-Cyber-Security-CSRAT.
- Identifies any active system accessibility services and blocks the financial mobile application usage until they are turned off. If there is a business need for accessibility mode, constituents can enable it for certain users based on customer request and limited to Mobile built-in authentic apps only.
- Identifies any active of the below services and blocks the financial mobile application usage until they are turned off. These services include:
o Screen capturing (Video Recording)
o Remote Screen Viewing (VNC/Screen Mirroring)
o External overlays. - Implement detection logic to identify in real time and shutdown the mobile application in case of the existence of the following services:
o System Accessibility services
o Screen capturing (Video Recording)
o Remote Screen Viewing (VNC/Screen Mirroring)
o External overlays.
References
Egyptian Financial Computing Incident Response Team (EG-FinCIRT).