Overview
- ThreatFabric confirms active device‑takeover campaigns in Italy and Brazil using smishing droppers that push Accessibility abuse and hide permission steps behind opaque overlays.
- A built‑in “humanizer” splits text into single characters with randomized 0.3–3 second delays to bypass timing‑based behavioral anti‑fraud checks during remote input.
- Operators receive full remote‑control tooling, including credential‑stealing overlays, SMS interception for 2FA, keylogging, screen capture, and a web control panel.
- Command‑and‑control relies on MQTT over the domain google-firebase.digital, with seven active subdomains; observed lures include “Banca Sicura” (af45kfx) in Italy and “Modulo Seguranca Stone” (g24j5jgkid) in Brazil.
- Analysts report code and obfuscation overlap with Brokewell, recovered overlays for targets in the US, UK, Turkey, and Poland, and assess the service is likely to expand as it evolves.