Cybercriminals spread Brokewell via fake TradingView Premium ads on Meta, stealing crypto and data with remote control since July 2024.
Bitdefender warns threat actors are abusing Meta ads to spread fake TradingView Premium apps for Android, delivering Brokewell malware to steal crypto and data.
“Bitdefender researchers recently uncovered a wave of malicious ads on Facebook that lure targets with promises of a free TradingView Premium app for Android.” warns Bitdefender. “This campaign shows how cybercriminals are fine-tuning their tactics to keep up with user behavior. By targeting mobile users and disguising malware as trusted trading tools, attackers hope to cash in on the growing reliance on crypto apps and financial platforms.”
The malicious ad campaign abusing TradingView branding has used at least 75 fake ads since July 22, luring Android users to download a trojanized .apk from cloned sites.
Once installed, the app requests accessibility permissions, hides behind fake update prompts, and tricks users into giving lock screen PINs. It then deploys Brokewell, an evolved spyware and RAT that supports extensive capabilities to monitor, control, and steal sensitive data, targeting EU users at scale.
According to Bitdefender, the malicious Android app is highly sophisticated, using obfuscation, native libraries, and reflection to hide most of its code. The malware contains a JSON configuration for overlaying apps and a decrypted .dex file with the main payload.
The Brokewell malware communicates with C2 servers via Tor and WebSocket and supports extensive commands for espionage, including clipboard and email scraping, keylogging, camera/microphone access, geolocation tracking, SMS/call control, crypto wallet theft, system manipulation, and stealth/uninstall protections. It can also perform advanced device operations like VNC streaming, device mode toggles, overlay injection, and remote execution, making it a full-featured RAT capable of comprehensive surveillance and control over the infected Android device.
“Once installed, the malware reveals itself as far more than a simple credential stealer. It’s an advanced version of the Brokewell malware, a full-fledged spyware and remote access trojan (RAT) with a vast arsenal of tools designed to monitor, control, and steal sensitive information from the victim’s device.” continues the report. “Its capabilities include:
- Crypto theft – Scanning for BTC, ETH, USDT, IBANs, and more.
- 2FA bypass – Scraping and exporting codes from Google Authenticator.
- Account takeover – Providing the possibility to overlay fake login screens
- Surveillance – Recording screens, keylogging, stealing cookies, activating the camera and microphone, and tracking live location.
- SMS interception – Hijacking the default SMS app to intercept messages, including banking and 2FA codes.
- Remote control – Communicating with attackers over Tor and WebSockets, with commands to send SMS, place calls, uninstall apps, or even self-destruct.
In short, this is one of the most advanced Android threats seen in a malvertising campaign to date.”
The experts recommend installing apps only from official stores, avoiding suspicious ads, checking URLs, and reviewing app permissions.
“This expansion signals an alarming trend: mobile users are no longer safe from malvertising campaigns that once primarily targeted desktops. The combination of brand impersonation, localized ads, and sophisticated malware capabilities makes this campaign especially dangerous.” concludes Bitdefender.
“With the rise of mobile banking, crypto wallets, and 2FA apps on smartphones, the stakes are higher than ever. A single compromised Android device can hand over access to a victim’s finances, personal communications, and sensitive accounts.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, Brokewell malware)
