Facebook ads Archives

AppWizard

December 25, 2025

Android Malware Operations Merge Droppers, SMS Theft, and RAT Capabilities at Scale

Threat actors in Uzbekistan are increasingly using sophisticated tactics to target mobile users, specifically through malicious dropper applications that appear as legitimate software. A recent analysis by Group-IB identified an Android SMS stealer called Wonderland, which was previously known as WretchedCat. Unlike traditional Trojan APKs that activate malware immediately upon installation, Wonderland utilizes droppers that activate malicious payloads locally after installation, even without an internet connection. Wonderland enables bidirectional command-and-control communication, allowing real-time execution of commands, including SMS theft and USSD requests. It disguises itself as Google Play or various file formats to evade detection. The financially motivated group behind this malware, TrickyWonders, uses Telegram for coordination and was first detected in November 2023. Wonderland is associated with two dropper families: MidnightDat and RoundRift. Propagation methods for Wonderland include counterfeit Google Play Store pages, Facebook ads, and fake accounts on dating apps. Attackers exploit stolen Telegram sessions from Uzbek users to distribute APK files. Once installed, Wonderland can access SMS messages, intercept one-time passwords, and siphon funds from victims' bank accounts. It can also retrieve phone numbers, exfiltrate contact lists, suppress security alerts, and send SMS messages from compromised devices. Users must enable installations from unknown sources to sideload the app, often misled by a fake update screen. If granted permissions, attackers can hijack the phone number and log into the associated Telegram account, perpetuating the malware's spread. Wonderland represents a significant evolution in mobile malware in Uzbekistan, moving from basic malware like Ajina.Banker to more sophisticated variants like Qwizzserial. The use of dropper applications enhances its deceptive nature, allowing it to evade security checks. Both the dropper and SMS stealer components are heavily obfuscated, complicating reverse engineering. The supporting infrastructure for Wonderland is dynamic, with rapidly changing domains complicating monitoring efforts. Malicious APKs are generated through a Telegram bot and distributed by a network of threat actors. New strains of malware, such as Cellik, Frogblight, and NexusRoute, have also emerged, each capable of harvesting sensitive information from compromised devices.

AppWizard

September 1, 2025

Android Droppers Now Deliver SMS Stealers and Spyware, Not Just Banking Trojans

Recent research indicates a shift in the Android malware ecosystem, with dropper apps now being used to distribute simpler malware like SMS stealers and basic spyware, particularly in regions such as India and Asia. This change is attributed to enhanced security measures by Google, which aim to prevent the sideloading of harmful applications that request sensitive permissions. Attackers are adapting by designing droppers that avoid high-risk permissions and present users with innocuous update screens to bypass security scans. Notable dropper apps identified include RewardDropMiner, which has been linked to spyware and a Monero miner, and other variants like SecuriDropper and Zombinder. Google has stated that it has not found any applications using these techniques in the Play Store and continues to enhance its security measures. Additionally, Bitdefender Labs has warned of a campaign using malicious ads on Facebook to promote a fake premium version of the TradingView app, which deploys the Brokewell banking trojan to extract sensitive information from users' devices.

AppWizard

August 30, 2025

Threat Actors Use Facebook Ads to Deliver Android Malware

Cybercriminals are increasingly targeting mobile devices with a sophisticated Android banking trojan disguised as a free TradingView Premium app, as reported by Bitdefender Labs. Since July 22, 2025, at least 75 Facebook ads have promoted this fake application, reaching tens of thousands of users in the European Union by August 22. The ads use official TradingView branding and redirect desktop users to benign content while leading mobile users to a cloned website to download an infected APK file. The trojan, which is an evolved version of the Brokewell spyware, requests extensive permissions under the guise of a fake update and can perform various malicious activities, including crypto theft, 2FA bypass, account takeover, surveillance, SMS interception, and remote control. The application employs obfuscation techniques and communicates via Tor and secure WebSocket channels. This campaign is part of a broader malvertising operation that previously targeted desktop users and is localized in multiple languages. Bitdefender Mobile Security identifies the dropper as Android.Trojan.Dropper.AVV and the payload as Android.Trojan.Banker.AVM. Users are advised to only install apps from official stores, scrutinize ads, review app permissions, and use trusted security solutions to mitigate risks.

AppWizard

August 29, 2025

Threat Actors Weaponizing Facebook Ads with Free TradingView Premium App Lures That Delivers Android Malware

Cybersecurity researchers have identified a sophisticated malvertising campaign targeting Android users on Meta’s Facebook platform, promoting a fake TradingView Premium application through deceptive ads. Clicking these ads leads users to download a malicious APK that installs a crypto-stealing trojan, which exploits accessibility features to harvest user credentials and bypass two-factor authentication. The campaign, discovered on July 22, 2025, has spread across Europe, utilizing cloned webpages and localized messages in multiple languages to enhance credibility. The malware employs a multi-stage infection process, dynamically loading its payload to evade detection and maintaining persistence by re-enabling accessibility services and hiding its icon. By August 22, at least 75 unique ads had been identified, reaching tens of thousands of users in the EU.

Tech Optimizer

July 30, 2025

JSCEAL Malware Targets Crypto Users via Fake Facebook Ads

A new malware strain called JSCEAL has emerged, targeting cryptocurrency users by exploiting online advertising. Active since early 2025, it masquerades as legitimate trading applications and uses deceptive ads on platforms like Facebook to lure victims. The malware impersonates well-known exchanges such as Coinbase, Binance, and OKX, tricking users into downloading counterfeit apps that harvest sensitive information like credentials and wallet data. Over 35,000 malicious ads were tracked in 2025, affecting thousands of users. JSCEAL employs malvertising tactics, redirects users to counterfeit websites, and uses JavaScript-based payloads to exploit browser vulnerabilities. Its polymorphic code allows it to evade detection, and it can take remote control of devices using Android Accessibility permissions. Cryptocurrency exchanges are responding by enhancing security measures and advising users to verify app sources, implement multi-factor authentication, and use ad blockers. Users are encouraged to enable browser extensions that flag suspicious sites and to download applications only from official stores.

AppWizard

December 12, 2024

Facebook And Instagram Down: Here’s What We Know About Widespread Outages

On Wednesday afternoon, Meta's applications, including Facebook, Instagram, and WhatsApp, experienced significant disruptions starting around 12:30 p.m. EST. By approximately 1:10 p.m. EST, Facebook alone had over 100,000 outage reports. Instagram and WhatsApp also reported increasing issues. By just before 5:30 p.m. EST, Facebook's outage reports decreased to over 1,200 and Instagram's dropped to about 1,900 from a peak of more than 68,000. Meta's status page indicated major disruptions in its business tools, and users encountered error messages. After 5:30 p.m., Meta communicated on X, stating they were close to resolving the issues. This outage follows a previous global disruption in March that affected hundreds of thousands of users.

AppWizard

December 11, 2024

Is Facebook down? Outage impacts Instagram, WhatsApp and other Meta apps Wednesday

Meta has been fined €91 million (2 million) by the Irish Data Protection Commission due to improperly storing user passwords, following an investigation that started in April 2019. Additionally, Meta is experiencing major outages affecting applications like Facebook Ads Manager, Messenger, and the WhatsApp Business API, resulting in significant disruptions for users.

AppWizard

August 18, 2024

Epic Games’ free games have been working out great, but a lot of the store’s exclusives “were not good investments” says CEO Tim Sweeney

Epic Games has been offering free games weekly since 2018 as a strategy for user acquisition, which has proven to be cost-effective compared to traditional advertising methods. CEO Tim Sweeney stated that the costs of acquiring users through free games are significantly lower than through platforms like Facebook or Google Ads. This initiative not only attracts new players but also increases sales for developers' other titles. Despite the success of the free games program, Epic has faced challenges with exclusive titles, where some investments in exclusivity did not yield the expected results.

Winsage

July 17, 2024

BEWARE: Facebook Ads Bring Fake Windows Themes Hiding Malware

Hackers have been using Facebook ads to distribute malware, specifically the 'infostealer' known as 'SYS01 stealer.' This malware can steal sensitive information such as cookies and login credentials when downloaded on a computer disguised as Windows themes or other programs. The malware campaign has also been spotted on LinkedIn and YouTube ads since September 2023. Despite warnings from security researchers, the campaign is still active and evolving to better evade detection.