A Deceptive Ad on Facebook Is Spreading Advanced Android Malware

Bitdefender Labs has issued a new warning about a global malvertising campaign abusing Meta’s advertising system to spread advanced Android malware. Initially focused on Windows desktop users, the campaign has now pivoted toward mobile users worldwide, disguising malware as trusted financial tools.

According to the report, “Bitdefender researchers recently uncovered a wave of malicious ads on Facebook that lure targets with promises of a free TradingView Premium app for Android. Instead of delivering legitimate software, the ads drop a highly advanced crypto-stealing trojan — an evolved version of the Brokewell malware.”

The campaign has deployed at least 75 malicious ads since July 22, 2025, reaching tens of thousands of users in the EU alone by August 22 .

Victims clicking the ads were redirected to cloned websites like new-tw-view[.]online, which delivered a malicious APK from tradiwiw[.]online/tw-update.apk.

Once installed, the rogue app immediately requested dangerous permissions while displaying fake update prompts to mask its activity. As Bitdefender notes: “The dropped application asks for accessibility, and after receiving it, the screen is covered with a fake update prompt. In the background, the application is giving itself all the permissions it needs.”

The malware then attempted to harvest the user’s lock screen PIN and overlay fake login screens over legitimate apps such as YouTube or Venmo.

But this was far more than a credential stealer. The report explains: “Once installed, the malware reveals itself as far more than a simple credential stealer. It’s an advanced version of the Brokewell malware, a full-fledged spyware and remote access trojan (RAT) with a vast arsenal of tools designed to monitor, control, and steal sensitive information.”

Its capabilities include:

• Crypto theft: scanning for BTC, ETH, USDT, and IBANs.
• 2FA bypass: scraping Google Authenticator codes.
• Account takeover: overlaying fake login screens.
• Surveillance: keylogging, screen recording, cookie theft, live location, microphone, and camera access.
• SMS interception: hijacking the default SMS app to steal banking and 2FA messages.
• Remote control: connecting to attacker servers over Tor and WebSockets, enabling attackers to send SMS, place calls, uninstall apps, or trigger self-destruction.

Bitdefender highlights how multi-language localization makes the campaign harder to detect: “By decrypting the strings used in the classes, we find permissions requests in multiple languages available, such as English, Spanish, Portuguese, German, French, Italian, Turkish, Finnish, etc.”

Beyond TradingView, attackers have impersonated dozens of brands including Binance, Bitso, EToro, Ledger, Nexo, Revolut, and even U.S. President Donald Trump to increase clicks .

Regional tailoring has also been observed — for instance, Lemon.me in Latin America and Exness in Thailand.

This campaign marks a dangerous evolution in malvertising. As the report warns: “This expansion signals an alarming trend: mobile users are no longer safe from malvertising campaigns that once primarily targeted desktops.”

With mobile devices now central to banking, crypto wallets, and 2FA apps, a single compromise can result in full financial and identity takeover.

Related Posts:

• Alert: “Brokewell” Malware – New Threat Targets Bank Users with Remote Device Takeover
• Massive Ad Fraud Campaign Deployed 331 Apps, Resulting in 60 Million Downloads
• Google Products Exploited in Sophisticated Malvertising Scheme
• 184 Million Leaked Credentials Found in Open Database