- At least 75 malicious advertisements were published on the Meta advertising network
- The advertisements have been seen tens of thousands of times
- They promoted a false premium tradingview application which deployed a Trojan horse remotely
Cybercriminals again target cryptocurrency traders, this time trying to infect Android devices with an updated version of a well-known malicious threat.
Bitdefender Labs security researchers spotted what they described as “one of the most advanced Android threats seen in a malvertization campaign to date”.
The campaign has been set up on the Meta advertising network, which covers Facebook, Instagram, Messenger, Whatsapp, as well as third -party applications and mobile sites in partnership with the company.
New Brokewell infections
The advertisements have promoted a “free” premium version of TradingView, an online platform to follow the financial markets, make graphics and share trading ideas.
The campaign was spotted on July 22, 2025 (which means that it was probably launched even earlier) and contained at least 75 malicious advertisements, and in one month, advertisements “reached tens of thousands of users in the EU alone,” said the researchers.
Advertisements have targeted Android users specifically and redirected them to a false page of Destination TradingView. Those who visited their office devices were redirected to another Benin site. Those who used an Android device, however, received a “very advanced cryptographic flight Troy – an advanced version of the Brokewell malware”.
Brokewell is able to capture connection identification information via superposition screens, as well as intercept session cookies. It can also record a wide range of user actions, such as keys, scans and text entries, and can enter information such as call logs, geolocation, audio calls, etc. Finally, the most recent variants can serve as a distance from Trojan remotely (RAT), allowing attackers a remote control on the device.
Although it is very advanced in the features, the malware always raises the same red flags as any other – requiring powerful authorizations such as access to accessibility, while hiding behind false update prompts. He also tries to encourage the victim to finish locking screen.
How to stay safe
To mitigate potential risks, users must place a credit freezing (or a fraud alert) with the three credit offices, preventing new credit accounts from opening on their behalf without approval.
They should also monitor their credit reports and use the free identity flight monitoring offer.
Finally, they should close their financial accounts closely and be very cautious with incoming emails and other communications. Since attackers now know their contact details, they could send false emails, SMS or convincing calls to be banks, government agencies or even a transunion itself.
Via Bleeping Compompute
