Phishing offers of a free TradingView Premium app that distributes the Brokewell malware for Android are being used by cybercriminals to abuse Meta's advertising platforms.
The campaign, which uses an estimated 75 localized advertisements, has been targeting bitcoin assets since at least July 22nd.
Since its launch in early 2024, Brokewell has offered a wide range of capabilities, such as the ability to remotely monitor and operate the compromised device and steal confidential information.
The campaign's advertisements, which imitate the TradingView name and images and entice potential victims with the promise of a free premium program for Android, were examined by researchers at the antivirus firm Bitdefender.
They point out that because seeing the advertisement from a different operating system would result in innocuous content, the campaign was created especially for mobile consumers.
On the other hand, clicking from Android sent users to a screen that looked like the legitimate TradingView website and offered a malicious tw-update.apk file stored at tradiwiw[.]online/.
After requesting accessibility, the dropped program displays a phony update prompt on the screen. In a paper released this week, the researchers state that the application is granting itself all the necessary rights in the background.
Additionally, by mimicking an Android update request that requires the lockscreen password, the malicious program attempts to steal the PIN for unlocking the device.
The fraudulent TradingView software is "an advanced version of the Brokewell malware," according to Bitdefender, and it comes "with a vast arsenal of tools designed to monitor, control, and steal sensitive information:"
checks for bank account numbers (IBANs), Bitcoin, Ethereum, and USDT
Codes from Google Authenticator are stolen and exported (2FA bypass)
overlays phony login windows to steal an account.
Tracks the location, activates the camera and microphone, records screens and keystrokes, and steals cookies.
intercepts messages, including banking and 2FA codes, by taking over the default SMS app.
Control by remote can get instructions to send texts, make calls, remove programs, or even destroy themselves via Websockets or Tor.
A technical description of the malware's operation is given by the researchers, along with a longer list of commands that are supported—more than 130 rows total.
According to Bitdefender, this effort is a component of a broader scheme that first targeted Windows users with Facebook advertising that mimicked "dozens of well-known brands."
.jpeg)
