Bitdefender Labs has identified a rapidly expanding malvertising campaign on Facebook targeting Android users with crypto-stealing malware disguised as a fake TradingView app.
The operation has reportedly been active since July and has surfaced at least 75 malicious advertisements appearing on Facebook. These adverts are designed to trick users into sideloading what is presented as a “TradingView Premium” Android application. Instead, what victims actually download is an evolved form of the Brokewell malware, characterised as both spyware and a remote access trojan (RAT).
Mobile targeting
While such campaigns traditionally targeted desktop users, Bitdefender’s findings suggest a marked shift towards mobile device exploitation. According to their analysis, the Android-specific strand of the campaign has already reached tens of thousands of users across the European Union, despite leveraging what many regard as a trusted social media platform.
When an Android device user clicks the malicious advertisement, they are redirected to a spoofed TradingView website (“new-tw-view[.]online”), where they are encouraged to download a trojanised .apk file. Upon installation, the app immediately requests accessibility permissions while obscuring its true intent behind a fake update prompt, ultimately gaining extensive control over the device.
Malware capabilities
This specific Brokewell variant demonstrates a broad spectrum of malicious capabilities. It scans for cryptocurrency wallet addresses – including Bitcoin (BTC), Ethereum (ETH), and Tether (USDT) – as well as banking details and IBANs. The malware can also extract two-factor authentication (2FA) codes from applications such as Google Authenticator, facilitate account takeover through credential phishing overlays, log keystrokes, record the screen, activate the device’s camera and microphone, and track location via GPS.
Remote access is enabled through communication over the Tor network and WebSockets, allowing attackers to issue commands such as initiating calls, sending SMS messages, and uninstalling applications. Bitdefender notes the application’s multilingual interface, extensive obfuscation via native libraries, decrypted resources to hide its functions, and even self-removal of the dropper application to minimise evidence on compromised devices.
Global reach and deception
The campaign forms part of a wider global malvertising scheme that has previously impersonated a range of well-known brands including Binance, Bitso, Bybit, Exness, and public figures such as Donald Trump. Bitdefender points out the sophisticated use of hyper-localised content: advertisements mimic brands like Lemon.me in Latin America and Exness in Thailand. In the EU, TradingView is the primary tactic for targeting Android users. Local language, cultural adaptation, and device-specific targeting make both detection and removal more challenging for security teams.
Further complicating awareness and take-down, if the malicious links are accessed via non-targeted platforms such as desktops or iOS devices, users are shown non-harmful content, limiting traceability from those environments.
Security advice
Bitdefender recommends the following steps for mobile users: Don’t sideload apps, only install apps from official app stores like Google Play. Treat all ads with scepticism even on trusted platforms. Check URLs, as lookalike domains are common in malware campaigns. Scrutinise permissions, with accessibility access and lock screen PIN prompts being major red flags. Use protection, such as Bitdefender Mobile Security for Android, which detects and blocks threats like this one.
The company also suggests using tools such as Bitdefender Link Checker to examine suspicious links or consulting its AI-powered scam detection assistant, Scamio.
Changing tactics
This campaign demonstrates an evolution in malware distribution tactics, as malicious actors adapt to users’ shifting behaviours and increasing reliance on mobile devices for financial activity. According to Bitdefender, attackers are taking advantage of this change by targeting the mobile ecosystem with more precision and sophistication.
Bitdefender states it continues to monitor the campaign and will update its threat detection capabilities as the situation develops.