This Android Malware Is Spreading Through Facebook Ads

Threat actors are once again using Meta’s advertising platform to distribute malware. This time, it’s a form of Android spyware known as Brokewell, and it’s spreading through a malvertising campaign on Facebook.

According to researchers at Bitdefender, cybercriminals are running ads that promise free access to TradingView Premium, a market tracking and investment app, for Android mobile users. Clicking on the fraudulent ads, which use TradingView’s branding and, in some cases, images of Labubus, leads to users downloading and installing malware on their devices.

How Brokewell compromises Android devices

As the Bitdefender report outline, this malvertising attack tricks users into clicking Facebook ads that appear to be for TradingView, but the links go to a cloned website, which initiates a download of a malicious .apk file to the user’s device. The dropped app requests broad accessibility permissions while showing the user a series of fake update prompts, including one that requests the device’s lock screen PIN. Once permissions are granted, the dropper uninstalls itself to avoid detection.

The malware itself is an advanced spyware and remote access trojan (RAT) that has a range of capabilities:

  • Crypto theft

  • Scraping and exporting two-factor authentication (2FA) codes from Google Authenticator

  • Overlaying fake login screens for account takeover

  • Surveillance, such as keylogging and screen recording

  • Intercepting SMS messages to steal banking and 2FA codes

  • Remote device control

This specific scheme targets Android mobile users—if someone on Windows desktop or MacOS clicks on a fake TradingView ad, they’ll see benign content instead of the malicious cloned site. That said, threat actors have used Facebook ads to reach users across platforms and devices, with campaigns impersonating various cryptocurrency, investment, and trading apps as well as prominent finance professionals.

How to stay safe from malvertising

You should be wary of ads on Facebook and other social media sites, as these are common vectors for spreading malware and other scams. Don’t click on ads, even if you recognize the company or brand—and especially if they’re offering investment advice or a deal that seems too good to be true. Watch out for links that go to lookalike domains or spoofed websites that force you to download files or apps.

Instead, you should download apps only from trusted sources like the Google Play Store. Though malicious apps can sometimes slip through the cracks, it’s a lot safer than sideloading from unvetted sources. Be skeptical of apps that request accessibility permissions or your lock screen PIN without an obvious reason, and avoid granting permissions for anything that isn’t essential to the app’s functionality (even if the app is legit).

Leave a Reply

Your email address will not be published. Required fields are marked *