Malvertising Campaign on Meta Expands to Android, Pushing Advanced Crypto-Stealing Malware to Users Worldwide (www.bitdefender.com)
from Zerush@lemmy.ml to privacy@lemmy.ml on 02 Sep 13:38
https://lemmy.ml/post/35572248

Meta Malvertising Campaign Spreads Android Crypto-Stealing Malware

A sophisticated malvertising campaign targeting Meta’s ad network has expanded from Windows to Android users worldwide, deploying an advanced version of the Brokewell malware disguised as TradingView’s premium app[^1].

Since July 22, 2025, cybercriminals have launched over 75 malicious Facebook ads, reaching tens of thousands of users across the European Union[^1]. The campaign tricks victims into downloading a malicious APK from fake domains that mimic TradingView’s official website.

The malware, an enhanced strain of Brokewell, functions as both spyware and a remote access trojan (RAT) with capabilities including:

Cryptocurrency theft (BTC, ETH, USDT)
SMS interception for banking and 2FA codes
Google Authenticator data extraction
Screen recording and keylogging
Camera and microphone activation
Remote command execution via Tor and WebSockets[^1]

The attackers have localized their ads in multiple languages including Vietnamese, Portuguese, Spanish, Turkish, Thai, Arabic and Chinese to maximize reach[^1]. While the Android campaign currently focuses on impersonating TradingView, the Windows version has mimicked numerous brands including Binance, Bitget, Metatrader, and OKX[^1].

[^1]: Bitdefender - Malvertising Campaign on Meta Expands to Android, Pushing Advanced Crypto-Stealing Malware to Users Worldwide

#privacy

threaded - newest

sunzu2@thebrainbin.org on 02 Sep 15:02 next collapse

Remote command execution via Tor and WebSockets

WTF is dis

somerandomperson@lemmy.dbzer0.com on 02 Sep 23:18 collapse

Tor is basically a way to connect to the internet anonymously.

WebSockets is basically a way for P2P connections between servers and clients.

sunzu2@thebrainbin.org on 02 Sep 23:45 collapse

I got that but how does this exploit work?

Threat actor using tor to exploit open websockets?

chicken@lemmy.dbzer0.com on 03 Sep 00:15 collapse

That’s just the remote control part.

promises of a free TradingView Premium app for Android. Instead of delivering legitimate software, the ads drop a highly advanced crypto-stealing trojan — an evolved version of the Brokewell malware.

From another source, that works in part by exploiting “accessibility service permissions”:

Like other recent Android malware families of its kind, Brokewell is capable of getting around restrictions imposed by Google that prevent sideloaded apps from requesting accessibility service permissions.

…

This includes displaying overlay screens on top of targeted apps to pilfer user credentials. It can also steal cookies by launching a WebView and loading the legitimate website, after which the session cookies are intercepted and transmitted to an actor-controlled server.

sunzu2@thebrainbin.org on 03 Sep 00:16 collapse

WTF, this is sounds like what graphenseOS was design to avoid...

chicken@lemmy.dbzer0.com on 03 Sep 00:27 collapse

It would maybe be safer on a custom OS because less malware would target it, but exploits can still exist, at this point I’d say you also should really be using a dedicated device for crypto wallet stuff if you have more than small amounts, whether that’s a purpose built hardware wallet, an old phone you reset and have only the wallet app on, etc.

Telorand@reddthat.com on 02 Sep 18:19 next collapse

Gee, if only there was an alternative to Meta’s stinky apps…some kind of decentralized, federated network of servers and users that’s funded by the community instead of ads and user data sales…

Ah, well. We can only dream. /s

Zerush@lemmy.ml on 03 Sep 00:17 collapse

Yes, would be nice, the problem is the family and friends which are using Fakebook, Whatscrap and other and you in their contact list, than you are also in the Zuckerbot To Do list, irrelevant if you’ve an account or not. Than you can’t do other as block completly Facebook from your internet as I do.

somerandomperson@lemmy.dbzer0.com on 02 Sep 23:15 next collapse

uBo.

Zerush@lemmy.ml on 03 Sep 00:07 collapse

Minimum, better using Portmaster and block anything from Fakebook in both directions, but than also you can’t access, avoiding to click accidentaly on a link, irrelevant of which from it’s apps or services

This cause

interdimensionalmeme@lemmy.ml on 03 Sep 00:24 collapse

Can’t I still use it to talk to my mom on messenger with video calls if I do that ?

Zerush@lemmy.ml on 03 Sep 00:33 collapse

No, at least if you don’t desactivate the filter before. Better to convince your mother to use another app.

HiddenLayer555@lemmy.ml on 02 Sep 23:24 collapse

And they wonder why people block ads.