Cybercriminals are increasingly turning their sights from desktop to mobile, exploiting Meta’s advertising platform to distribute a sophisticated Android banking trojan disguised as a free TradingView Premium app.
Bitdefender Labs warns that these threat actors have shifted tactics after months of targeting Windows users with fake trading and cryptocurrency ads, now focusing worldwide on smartphone owners.
Since 22 July 2025, researchers have identified at least 75 Facebook ads promising a free premium version of TradingView for Android.
By 22 August, these ads had reached tens of thousands of users across the European Union. Ads feature official TradingView branding and familiar visuals—including a variant paired with a whimsical Labubu mascot—to entice clicks.
Desktop users who fall outside the targeted Android segment are redirected to innocuous content, while mobile users are taken to a cloned site at new-tw-view[.]online, where they download an infected .apk file from tradiwiw[.]online/tw-update.apk.
Once installed, the dropper (MD5 788cb1965585f5d7b11a0ca35d3346cc) unpacks a packed APK (58d6ff96c4ca734cd7dfacc235e105bd) that immediately requests extensive permissions, including full accessibility access.
Fake “update” prompts mask the request, and the app uses overlays on common apps like YouTube to trick users into downloading additional malicious tools such as a fake Venmo installer. After the victim grants permissions, the dropper uninstalls itself, erasing evidence of its role
Analysis shows the payload is an evolved version of the Brokewell spyware and remote access trojan (RAT). Capabilities include:
- Crypto theft: Scanning for Bitcoin, Ethereum, USDT, IBANs and more.
- 2FA bypass: Scraping codes from Google Authenticator.
- Account takeover: Overlaying fake login screens.
- Surveillance: Recording screens, keylogging, stealing cookies, activating camera and microphone, live location tracking.
- SMS interception: Hijacking default SMS apps to capture banking and authentication codes.
- Remote control: Communicating over Tor and WebSockets, executing commands to send SMS, place calls, uninstall apps, or self-destruct.
The app is heavily obfuscated, leveraging two native libraries to decrypt and load a hidden .dex resource at runtime.
A JSON configuration defines overlay targets on popular apps, and C2 communication occurs via both Tor and secure WebSocket channels.
Extended command support spans everything from clipboard dumping (doGETCLIPBOARDVAL) to enabling developer options, toggling device settings, and capturing front- and back-camera streams.
This Android wave is part of a broader malvertising operation that initially targeted desktop users across dozens of brands—from Binance, Bitget, and Bybit to eToro, Ledger, and Revolut—as well as public figures like former U.S. President Donald Trump.
Ads are localized in languages including Vietnamese, Portuguese, Spanish, Turkish, Thai, Arabic, Chinese, and more, often aligning with regional brand popularity (e.g., Lemon.me in Latin America, Exness in Thailand, Blackbull in Asia-Pacific)
Mitigations
Bitdefender Mobile Security for Android currently flags the dropper as Android.Trojan.Dropper.AVV and the payload as Android.Trojan.Banker.AVM. Windows components of the campaign are detected as Generic.MSIL.WMITask (droppers) and Generic.JS.WMITask (front-end scripts). To stay safe:
- Only install apps from official stores like Google Play
- Scrutinize Facebook ads and lookalike domains before clicking
- Carefully review app permissions, especially accessibility and lock-screen PIN requests
- Use Bitdefender’s Scamio chatbot or Link Checker to verify suspicious links
- Employ a trusted mobile security solution to block these threats before installation
As mobile banking and cryptocurrency usage grow, this campaign underscores a dangerous evolution: smartphones are no longer secondary targets but prime delivery mechanisms for advanced malware. Vigilance against malvertising has never been more critical.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
Source link
