Cybercriminals are shifting their focus from traditional desktop platforms to mobile devices, utilizing Meta’s advertising ecosystem to disseminate a sophisticated Android banking trojan masquerading as a free TradingView Premium application. This alarming trend has been highlighted by Bitdefender Labs, which notes a strategic pivot from targeting Windows users with deceptive trading and cryptocurrency advertisements to a more global campaign aimed at smartphone owners.
Since July 22, 2025, researchers have uncovered at least 75 Facebook advertisements that promise users a complimentary premium version of TradingView for Android. By August 22, these ads had garnered significant attention, reaching tens of thousands of users across the European Union. The ads cleverly incorporate official TradingView branding and familiar visuals, including a playful Labubu mascot, designed to entice potential victims into clicking.
For desktop users outside the targeted Android demographic, the ads redirect them to benign content. In contrast, mobile users are led to a cloned website, new-tw-view[.]online, where they are prompted to download an infected .apk file from tradiwiw[.]online/tw-update.apk.
Upon installation, the dropper (MD5 788cb1965585f5d7b11a0ca35d3346cc) extracts a packed APK (58d6ff96c4ca734cd7dfacc235e105bd) that immediately requests extensive permissions, including full accessibility access. This request is cleverly disguised as a fake “update” prompt, and the application employs overlays on popular apps such as YouTube to deceive users into downloading additional malicious tools, including a counterfeit Venmo installer. Once the victim grants the necessary permissions, the dropper uninstalls itself, effectively erasing any trace of its initial presence.
Analysis indicates that the payload represents an evolved iteration of the Brokewell spyware and remote access trojan (RAT), boasting a range of capabilities:
- Crypto theft: Scanning for Bitcoin, Ethereum, USDT, IBANs, and more.
- 2FA bypass: Scraping codes from Google Authenticator.
- Account takeover: Overlaying fake login screens.
- Surveillance: Recording screens, keylogging, stealing cookies, activating the camera and microphone, and live location tracking.
- SMS interception: Hijacking default SMS applications to capture banking and authentication codes.
- Remote control: Communicating over Tor and WebSockets, executing commands to send SMS, place calls, uninstall apps, or self-destruct.
The application is heavily obfuscated, utilizing two native libraries to decrypt and load a hidden .dex resource at runtime. A JSON configuration outlines overlay targets on popular applications, while command and control (C2) communication occurs via both Tor and secure WebSocket channels. The extensive command support includes clipboard dumping (doGETCLIPBOARDVAL), enabling developer options, adjusting device settings, and capturing images from both front and back cameras.
This surge in Android-targeted threats is part of a larger malvertising operation that initially focused on desktop users across various brands, including Binance, Bitget, Bybit, eToro, Ledger, and Revolut, as well as public figures such as former U.S. President Donald Trump. The ads are localized in numerous languages, including Vietnamese, Portuguese, Spanish, Turkish, Thai, Arabic, and Chinese, often tailored to align with regional brand popularity (e.g., Lemon.me in Latin America, Exness in Thailand, Blackbull in Asia-Pacific).
Mitigations
Bitdefender Mobile Security for Android currently identifies the dropper as Android.Trojan.Dropper.AVV and the payload as Android.Trojan.Banker.AVM. The Windows components of the campaign are detected as Generic.MSIL.WMITask (droppers) and Generic.JS.WMITask (front-end scripts). To enhance safety, users are advised to:
- Only install applications from official stores like Google Play.
- Scrutinize Facebook ads and verify lookalike domains before clicking.
- Carefully review app permissions, particularly those requesting accessibility and lock-screen PIN access.
- Utilize Bitdefender’s Scamio chatbot or Link Checker to verify suspicious links.
- Employ a trusted mobile security solution to block these threats prior to installation.
As mobile banking and cryptocurrency usage continue to rise, this campaign highlights a concerning evolution: smartphones are no longer secondary targets but have become primary conduits for advanced malware. The need for vigilance against malvertising has never been more pressing.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
