Brokewell Archives

Tech Optimizer

September 26, 2025

Malware Campaign Spreads Trojans via Hijacked Ads on Facebook, Google, YouTube

A recent malware campaign has transitioned from Meta’s advertising ecosystem to Google Ads and YouTube, initially targeting Facebook users through compromised business accounts. The threat originated from a Norwegian design agency’s hijacked Facebook Business account, promoting fraudulent ads for a fictitious “TradingView Premium” app that directed users to download malware. The malware is disseminated on YouTube through hijacked verified channels, leading victims to a downloader that installs Trojan.Agent.GOSL, capable of data theft and remote device control. Over 250 malicious apps targeting Android devices have been identified, equipped for credential theft and unauthorized access. Attackers compromise verified accounts to bypass scrutiny, altering page names to mimic official entities. The campaign exploits vulnerabilities in both Meta's and Google’s ad networks, utilizing OAuth URLs and ad placements to evade detection. Security experts recommend multi-layered defenses, enabling two-factor authentication, and verifying app sources to mitigate risks.

AppWizard

September 2, 2025

Crooks exploit Meta malvertising to target Android users with Brokewell

Cybercriminals are using Meta's advertising platform to spread the Brokewell malware, targeting Android users through deceptive promotions, particularly fake TradingView Premium ads since July 2024. Over 75 counterfeit ads have been identified, leading users to download a trojanized .apk file from cloned websites. Once installed, the app requests accessibility permissions and disguises itself with fake update notifications, ultimately deploying Brokewell, a spyware and Remote Access Trojan (RAT) that conducts extensive surveillance and data theft, primarily targeting users in the European Union. Brokewell employs obfuscation techniques and native libraries to hide its code, featuring a JSON configuration for overlaying legitimate applications and a decrypted .dex file for its main payload. It communicates with command and control servers via Tor and WebSocket, enabling various espionage activities, including crypto theft, 2FA bypass, account takeover, surveillance, SMS interception, and remote control of the device. Experts recommend that users only install apps from official app stores, avoid suspicious ads, verify URLs before downloading software, and review app permissions carefully. The risks associated with compromised devices are significant, especially as mobile banking and cryptocurrency wallets become more common.

AppWizard

September 1, 2025

Android Droppers Now Deliver SMS Stealers and Spyware, Not Just Banking Trojans

Recent research indicates a shift in the Android malware ecosystem, with dropper apps now being used to distribute simpler malware like SMS stealers and basic spyware, particularly in regions such as India and Asia. This change is attributed to enhanced security measures by Google, which aim to prevent the sideloading of harmful applications that request sensitive permissions. Attackers are adapting by designing droppers that avoid high-risk permissions and present users with innocuous update screens to bypass security scans. Notable dropper apps identified include RewardDropMiner, which has been linked to spyware and a Monero miner, and other variants like SecuriDropper and Zombinder. Google has stated that it has not found any applications using these techniques in the Play Store and continues to enhance its security measures. Additionally, Bitdefender Labs has warned of a campaign using malicious ads on Facebook to promote a fake premium version of the TradingView app, which deploys the Brokewell banking trojan to extract sensitive information from users' devices.

AppWizard

August 30, 2025

Threat Actors Use Facebook Ads to Deliver Android Malware

Cybercriminals are increasingly targeting mobile devices with a sophisticated Android banking trojan disguised as a free TradingView Premium app, as reported by Bitdefender Labs. Since July 22, 2025, at least 75 Facebook ads have promoted this fake application, reaching tens of thousands of users in the European Union by August 22. The ads use official TradingView branding and redirect desktop users to benign content while leading mobile users to a cloned website to download an infected APK file. The trojan, which is an evolved version of the Brokewell spyware, requests extensive permissions under the guise of a fake update and can perform various malicious activities, including crypto theft, 2FA bypass, account takeover, surveillance, SMS interception, and remote control. The application employs obfuscation techniques and communicates via Tor and secure WebSocket channels. This campaign is part of a broader malvertising operation that previously targeted desktop users and is localized in multiple languages. Bitdefender Mobile Security identifies the dropper as Android.Trojan.Dropper.AVV and the payload as Android.Trojan.Banker.AVM. Users are advised to only install apps from official stores, scrutinize ads, review app permissions, and use trusted security solutions to mitigate risks.

AppWizard

August 7, 2024

Chameleon Android Banking Trojan Targets Users Through Fake CRM App

Cybersecurity experts have identified the Chameleon Android banking trojan, which is targeting Canadian businesses, particularly in the hospitality sector. Disguised as a Customer Relationship Management (CRM) application, the trojan began its campaign in July 2024, expanding its reach from previous targets in Australia, Italy, Poland, and the U.K. The malware is designed to exploit Business-to-Consumer (B2C) employees and can bypass security measures in Android 13 and later versions. Upon installation, it presents a fake login interface and prompts users with deceptive error messages to reinstall the app, which activates the trojan. Chameleon is capable of executing on-device fraud and can transfer funds from users' accounts while harvesting sensitive information such as credentials and geolocation data. If it compromises a device with access to corporate banking, it poses significant risks to organizations.

AppWizard

June 3, 2024

Be Careful: These Android Apps Are Installing Malware, Stealing Your Data

More than 90 Android apps on Google Play Store have been found to contain malware, posing as PDF or QR code readers. The malicious apps secretly collect data and display fake banking login pages to steal financial credentials. Some of the apps identified include "PDF Reader & File Manager" and "QR Reader & File Manager." Other malware families distributed via the Play Store include Joker, Adware, Facestealer, and Coper. Just because an app is on the Google Play Store or Apple's App Store does not guarantee its safety, as banking trojan malware like "Brokewell" has recently emerged.

AppWizard

May 19, 2024

Urgent warning issued to Android users over bug that can empty bank accounts

Brokewell is a malicious software posing as a Google Chrome update that can give cybercriminals access to sensitive information, including banking applications. The discovery of Brokewell highlights the importance of being vigilant when downloading updates, especially from reputable sources like Google Chrome. Threatfabric has shown that distinguishing between legitimate updates and imposters like Brokewell can be difficult. Brokewell is a significant threat to the banking sector and uses overlay attacks to steal user credentials and take over devices. It is important for Android Chrome users to be cautious during installations to protect their personal information from being compromised.

AppWizard

May 2, 2024

Warning Against New Brokewell Android Malware That Spreads Through Fake Chrome Update, Targets Banking Apps

The Brokewell malware is a new cyber threat targeting Android users, disguised as a fake Chrome update. It can infiltrate banking applications, create overlay screens to steal login credentials, and bypass multi-factor authentication systems. Users are advised to be cautious of unsolicited software updates and download apps only from reputable sources.

AppWizard

May 2, 2024

Scam alert for Android users as ‘Brokewell’ malware threatens users’ bank accounts

A new malware threat called "Brokewell" has been detected by cybersecurity experts at ThreatFabric. This sophisticated malware mimics a Google Chrome update and can compromise bank accounts through advanced Device Takeover capabilities. The malware uses overlay attacks to harvest user credentials and is continuously being enhanced by its creators. Users are advised to exercise caution when downloading apps and take immediate steps if they suspect an app to be malicious.

AppWizard

April 29, 2024

Android malware posing as a fake Chrome update is stealing banking app logins

A new Android malware named Brokewell is masquerading as an update for Google Chrome, distributed through a counterfeit browser update page. It uses overlay attacks to steal user credentials and cookies, as well as employs accessibility logging to capture all actions on the infected device. Once cybercriminals have gathered enough private data, they can exploit the malware's remote control features to carry out unauthorized activities on the device.