A new malware campaign is exploiting Meta’s advertising platforms with fake offers of a free TradingView Premium app for Android. The campaign is being used to distribute the Brokewell Android malware, a sophisticated threat capable of stealing sensitive data, monitoring devices, and taking remote control of compromised phones.
The operation, which has been running since at least July 22, leverages around 75 localized ads to maximize reach and effectiveness. Researchers believe that cryptocurrency investors and traders are the main targets, as TradingView is widely used in the crypto community for market charting and trading strategies.
Campaign Disguised as TradingView Premium
Cybersecurity researchers at Bitdefender examined the malicious ads and confirmed that they were designed specifically for mobile users. When clicked from a non-mobile device, the ads led to harmless pages. But on Android devices, the ad redirected victims to a fake TradingView website that hosted a malicious file named tw-update.apk, located at the domain tradiwiw[.]online.
The attackers used TradingView’s branding and visuals to make the ads convincing. Victims were tricked into downloading what they believed was a premium version of the TradingView app.
How Brokewell Gains Full Device Control
Once installed, the fake TradingView app immediately requested accessibility permissions. According to the Bitdefender report:
“The dropped application asks for accessibility, and after receiving it, the screen is covered with a fake update prompt. In the background, the application is giving itself all the permissions it needs.”
This method allowed the malware to escalate its privileges without raising suspicion. Victims only saw what appeared to be a legitimate update screen, while the malware silently granted itself broad device permissions.
In addition, the malicious app attempted to steal the device PIN code by simulating an Android update that requested the lock screen password. By capturing the unlock credentials, attackers could gain persistent and unrestricted access to the infected device.
Brokewell’s Expanding Capabilities
First identified in early 2024, Brokewell has steadily evolved into a multifunctional Android malware family. Its features now include:
- Stealing sensitive personal and financial data
- Capturing credentials and authentication information
- Monitoring user activity remotely
- Taking full control of compromised devices
By combining these capabilities, attackers can access mobile banking applications, cryptocurrency wallets, and messaging platforms, making the malware particularly dangerous for individuals who manage digital assets on their smartphones.
Why Cryptocurrency Users Are Being Targeted
The focus on cryptocurrency traders aligns with the financially motivated goals of cybercriminals. TradingView is a trusted platform for charting and trading tools, making it an ideal lure for fraudsters. By offering a fake “free premium app,” attackers appeal to traders looking for advanced features, while quietly deploying malware to steal funds and personal data.
The Brokewell campaign is part of a growing trend where legitimate advertising platforms are abused for malware distribution. By infiltrating ad networks, attackers can reach global audiences while bypassing traditional web filtering mechanisms.
The use of Meta’s ad services in this case demonstrates how widely trusted platforms can be exploited to carry out sophisticated malware campaigns at scale.
