Cybersecurity researchers have uncovered a sophisticated malvertising campaign on Meta’s Facebook platform in recent weeks that targets Android users with promises of a free TradingView Premium application.
These deceptive ads mimic official TradingView branding and visuals, luring unsuspecting victims to download what appears to be a legitimate APK.
Once installed, however, the app unleashes a highly advanced crypto-stealing trojan that leverages accessibility abuses and overlay techniques to harvest credentials, bypass two-factor authentication, and seize control of device functionality.
This campaign marks a significant evolution in mobile-focused malvertising, demonstrating how threat actors adapt traditional desktop-oriented strategies to increasingly lucrative Android ecosystems.
After initial discovery on July 22, 2025, the wave of malicious advertisements rapidly gained traction across Europe and beyond.
The ads redirect users to a cloned webpage at new-tw-view[.]online, where they download an APK from tradiwiw[.]online/tw-update.apk.
Upon installation, the dropper immediately requests powerful permissions, masquerading as legitimate update prompts that coax users into enabling Accessibility Services and granting device administration rights.
Bitdefender analysts noted that, in many cases, the dropper cleans up after itself by uninstalling its initial stub, leaving only the payload in place to avoid detection.
On August 22, Bitdefender researchers identified that at least 75 unique ads had been deployed since late July, reaching tens of thousands of users in the EU alone.
The attackers localized their lures in over a dozen languages—including Vietnamese, Portuguese, Spanish, Turkish, and Arabic—to maximize reach and credibility.
.webp "Threat Actors Weaponizing Facebook Ads with Free TradingView Premium App Lures That Delivers Android Malware 3")
Targeting mobile users reflects a broader trend: as smartphones become central to financial operations—crypto wallets, mobile banking, and authentication apps—the stakes for successful compromise rise dramatically.
Technical Overview of Infection Mechanism
Delving into the infection chain reveals a multi-stage process designed for stealth and persistence. Upon execution, the dropper APK computes the MD5 checksum 788cb1965585f5d7b11a0ca35d3346cc and unpacks an embedded payload with checksum 58d6ff96c4ca734cd7dfacc235e105bd.
The payload is stored as an encrypted DEX resource within the application. A native library dynamically retrieves decryption keys and loads the hidden classes via reflection, bypassing standard signature checks.
// Reflection-based payload loading
String dexPath = context.getFilesDir() + "/payload.dex";
FileOutputStream fos = new FileOutputStream(dexPath);
fos.write(decryptedBytes);
fos.close();
DexClassLoader loader = new DexClassLoader(dexPath, context.getCacheDir().getAbsolutePath(), null, context.getClassLoader());
Class> clazz = loader.loadClass("com.tradingview.updater.Updater");
Method init = clazz.getMethod("initialize", Context.class);
init.invoke(null, context);.webp "Threat Actors Weaponizing Facebook Ads with Free TradingView Premium App Lures That Delivers Android Malware 4")
Once active, the malware registers as an accessibility service, granting it the ability to monitor keystrokes, intercept 2FA tokens from Google Authenticator, and display fake login screens over banking and crypto apps.
The code snippet above exemplifies how the malicious updater class is dynamically loaded, ensuring that static analysis tools may miss its presence.
Persistence is achieved by re-enabling accessibility services on reboot and hiding its icon from app drawers through PackageManager.setComponentEnabledSetting, preventing user attempts to locate and remove the threat.
This attack demonstrates a high degree of automation combined with manual-grade precision in targeting high-value assets on Android devices.
By weaponizing Facebook’s ad infrastructure and leveraging in-depth knowledge of the Android permission model, threat actors have created a potent campaign capable of global reach and significant financial impact.
Organizations and individuals alike must remain vigilant, scrutinizing app sources, verifying URLs, and limiting sideloading to trusted repositories.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
Source link
