Broader Facebook Malvertising Targets Android Devices with Cryptocurrency-Stealing RAT

ByAdmin

Bitdefender Labs has uncovered a rapidly expanding malvertising campaign on Facebook that specifically targets Android users with crypto-stealing malware disguised as a fake TradingView app. This operation has reportedly been active since July and has revealed at least 75 malicious advertisements on Facebook. These ads are designed to deceive users into sideloading what is presented as a “TradingView Premium” Android application. However, victims actually download an evolved variant of the Brokewell malware, which functions as both spyware and a remote access trojan (RAT). The campaign marks a significant shift from traditional desktop targeting to mobile device exploitation, reaching tens of thousands of users across the European Union, despite being hosted on a platform many consider trustworthy.

When an Android user clicks on the malicious advertisement, they are redirected to a spoofed TradingView website (“new-tw-view[.]online”) where they are encouraged to download a trojanised .apk file. Upon installation, the app requests accessibility permissions while disguising its true purpose behind a fake update prompt, thereby gaining extensive control over the device. This specific Brokewell variant exhibits a wide range of malicious capabilities, including scanning for cryptocurrency wallet addresses, extracting two-factor authentication codes, and facilitating account takeovers through credential phishing overlays. Remote access is enabled via the Tor network and WebSockets, allowing attackers to issue commands such as initiating calls and sending SMS messages. The campaign employs hyper-localised content, mimicking well-known brands and adapting to local languages and cultures, making detection and removal increasingly challenging for security teams. 

Categories: Malvertising Campaigns, Mobile Malware, Cryptocurrency Theft 

Tags: Malvertising, Android, Crypto-stealing, TradingView, Brokewell, Spyware, Remote Access Trojan, Cryptocurrency, Phishing, Tor Network 

Leave a Reply

Your email address will not be published. Required fields are marked *