In recent weeks, cybersecurity researchers have identified a highly sophisticated malvertising campaign targeting Android users on Meta’s Facebook platform. This campaign cleverly entices users with the allure of a free TradingView Premium application, utilizing deceptive advertisements that closely mimic official TradingView branding and visuals.
Upon clicking these ads, unsuspecting victims are directed to download what appears to be a legitimate APK. However, the reality is far more sinister. Once installed, the application activates a sophisticated crypto-stealing trojan that exploits accessibility features and overlay techniques to harvest user credentials, circumvent two-factor authentication, and gain control over device functionalities.
This campaign signifies a notable shift in mobile-focused malvertising, showcasing how cybercriminals are adapting traditional desktop strategies to exploit the increasingly lucrative Android ecosystem. The initial discovery of this malicious activity occurred on July 22, 2025, and it quickly proliferated across Europe and beyond.
The malicious ads redirect users to a cloned webpage at new-tw-view[.]online, where they are prompted to download an APK from tradiwiw[.]online/tw-update.apk. Upon installation, the dropper immediately requests extensive permissions, disguising itself as legitimate update prompts that encourage users to enable Accessibility Services and grant device administration rights.
Bitdefender analysts have observed that, in many instances, the dropper efficiently cleans up after itself by uninstalling its initial stub, leaving only the payload in place to evade detection. By August 22, researchers had identified at least 75 unique ads deployed since late July, reaching tens of thousands of users in the EU alone. The attackers have localized their deceptive messages in over a dozen languages—including Vietnamese, Portuguese, Spanish, Turkish, and Arabic—to enhance their reach and credibility.
This focus on mobile users underscores a broader trend: as smartphones increasingly become central to financial operations—such as crypto wallets, mobile banking, and authentication apps—the stakes for successful compromises rise significantly.
Technical Overview of Infection Mechanism
A closer examination of the infection chain reveals a multi-stage process designed for stealth and persistence. Upon execution, the dropper APK calculates the MD5 checksum 788cb1965585f5d7b11a0ca35d3346cc and unpacks an embedded payload with checksum 58d6ff96c4ca734cd7dfacc235e105bd.
The payload is stored as an encrypted DEX resource within the application. A native library dynamically retrieves decryption keys and loads the hidden classes via reflection, effectively bypassing standard signature checks.
// Reflection-based payload loading
String dexPath = context.getFilesDir() + "/payload.dex";
FileOutputStream fos = new FileOutputStream(dexPath);
fos.write(decryptedBytes);
fos.close();
DexClassLoader loader = new DexClassLoader(dexPath, context.getCacheDir().getAbsolutePath(), null, context.getClassLoader());
Class clazz = loader.loadClass("com.tradingview.updater.Updater");
Method init = clazz.getMethod("initialize", Context.class);
init.invoke(null, context);Once activated, the malware registers as an accessibility service, allowing it to monitor keystrokes, intercept two-factor authentication tokens from Google Authenticator, and display counterfeit login screens over legitimate banking and crypto applications.
The code snippet above illustrates how the malicious updater class is dynamically loaded, ensuring that static analysis tools may overlook its presence. Persistence is maintained by re-enabling accessibility services upon reboot and concealing its icon from app drawers through PackageManager.setComponentEnabledSetting, thwarting user efforts to locate and eliminate the threat.
This attack exemplifies a high degree of automation combined with manual-grade precision in targeting high-value assets on Android devices. By leveraging Facebook’s advertising infrastructure and demonstrating an in-depth understanding of the Android permission model, threat actors have orchestrated a formidable campaign with the potential for global reach and significant financial ramifications.
Organizations and individuals are urged to remain vigilant, carefully scrutinizing app sources, verifying URLs, and restricting sideloading to trusted repositories.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
