Malvertising Campaign on Meta Expands to Android, Pushing Advanced Crypto-Stealing Malware to Users Worldwide

Many people believe that smartphones are somehow less of a target for threat actors. They couldn’t be more wrong.

Bitdefender Labs warns that cybercriminals are doubling down on spreading malware through Meta’s advertising system. After months of targeting Windows desktop users with fake ads for trading and cryptocurrency platforms, hackers are now shifting towards Android users worldwide.

Bitdefender researchers recently uncovered a wave of malicious ads on Facebook that lure targets with pro

For HomeFor BusinessFor Partners

Malvertising Campaign on Meta Expands to Android, Pushing Advanced Crypto-Stealing Malware to Users Worldwide

Ionut Alexandru BALTARIU
Alexandra-Svetlana Dinulica (Bocereg)
Andreea OLARIU
Alina BÎZGĂ

August 26, 2025

[Malvertising Campaign on Meta Expands to Android, Pushing Advanced Crypto-Stealing Malware to Users Worldwide]

Many people believe that smartphones are somehow less of a target for threat actors. They couldn’t be more wrong.

Bitdefender Labs warns that cybercriminals are doubling down on spreading malware through Meta’s advertising system. After months of targeting Windows desktop users with fake ads for trading and cryptocurrency platforms, hackers are now shifting towards Android users worldwide.

Bitdefender researchers recently uncovered a wave of malicious ads on Facebook that lure targets with promises of a free TradingView Premium app for Android. Instead of delivering legitimate software, the ads drop a highly advanced crypto-stealing trojan — an evolved version of the Brokewell malware.

This campaign shows how cybercriminals are fine-tuning their tactics to keep up with user behavior. By targeting mobile users and disguising malware as trusted trading tools, attackers hope to cash in on the growing reliance on crypto apps and financial platforms.

Inside the Malicious Ad Campaign Targeting Android Users

According to our most recent analysis, the malware campaign (which is still active) made use of at least 75 malicious ads since 22 July 2025. By August 22, the ads have reached tens of thousands of users in the EU alone.

The ads used TradingView’s branding and visuals to trick people into downloading the free premium app onto their devices.

We’ve even spotted a variation of the ad pairing the TradingView branding with an image of a Labubu.

Note: If a desktop user, who does not fall in the targeted group, clicks on the ad, random, benign content will be delivered instead.

However, Android users who followed the link are redirected to a cloned webpage that mimics the official TradingView site (new-tw-view[.]online), where they unknowingly downloaded a malicious .apk file from tradiwiw[.]online/tw-update.apk.

The file has the MD5 checksum 788cb1965585f5d7b11a0ca35d3346cc, and it drops the packed APK 58d6ff96c4ca734cd7dfacc235e105bd.

Once installed, the app immediately begins requesting powerful permissions such as accessibility access — all while hiding behind fake update prompts.

The dropped application asks for accessibility, and after receiving it, the screen is covered with a fake update prompt. In the background, the application is giving itself all the permissions it needs.

The application also tries to trick the user into giving their lock screen PIN:

The application chooses to overlay over some installed apps, such as YouTube, where a WebView and a Toast message is displayed, prompting the user to download the Venmo app:

The initial application decrypts from its resources the dropped application and starts it by prompting the user to give it accessibility permissions, since the dropped app does not have a launcher. If the user grants these permissions, the dropper is uninstalled to cover its tracks.

By decrypting the strings used in the classes, we find permissions requests in multiple languages available, such as English, Spanish, Portuguese, German, French, Italian, Turkish, Finnish, etc.

Once installed, the malware reveals itself as far more than a simple credential stealer. It’s an advanced version of the Brokewell malware, a full-fledged spyware and remote access trojan (RAT) with a vast arsenal of tools designed to monitor, control, and steal sensitive information from the victim’s device.

Its capabilities include:

• Crypto theft – Scanning for BTC, ETH, USDT, IBANs, and more.
• 2FA bypass – Scraping and exporting codes from Google Authenticator.
• Account takeover – Providing the possibility to overlay fake login screens
• Surveillance – Recording screens, keylogging, stealing cookies, activating the camera and microphone, and tracking live location.
• SMS interception – Hijacking the default SMS app to intercept messages, including banking and 2FA codes.
• Remote control – Communicating with attackers over Tor and WebSockets, with commands to send SMS, place calls, uninstall apps, or even self-destruct.

In short, this is one of the most advanced Android threats seen in a malvertising campaign to date.

The app is obfuscated and uses two native libraries to retrieve what methods to execute and the parameters to call them with. It also contains methods to search for regexes of crypto wallets such as:

The dropped application contains 2 raw files which are used as:

• A configuration file that is loaded as a JSON and which contains what websites to use for overlaying installed apps on the device.

The application connects to a Tor server and a WSS one for C2C communication and logging.

Extended supported commands:

****

[...]

*Original source*