Meta Malvertising Campaign Spreads Android Crypto-Stealing Malware

A sophisticated malvertising campaign targeting Meta's ad network has expanded from Windows to Android users worldwide, deploying an advanced version of the Brokewell malware disguised as TradingView's premium app[^1].

Since July 22, 2025, cybercriminals have launched over 75 malicious Facebook ads, reaching tens of thousands of users across the European Union[^1]. The campaign tricks victims into downloading a malicious APK from fake domains that mimic TradingView's official website.

The malware, an enhanced strain of Brokewell, functions as both spyware and a remote access trojan (RAT) with capabilities including:

• Cryptocurrency theft (BTC, ETH, USDT)
• SMS interception for banking and 2FA codes
• Google Authenticator data extraction
• Screen recording and keylogging
• Camera and microphone activation
• Remote command execution via Tor and WebSockets[^1]

The attackers have localized their ads in multiple languages including Vietnamese, Portuguese, Spanish, Turkish, Thai, Arabic and Chinese to maximize reach[^{1]. While the Android campaign currently focuses on impersonating TradingView, the Windows version has mimicked numerous brands including Binance, Bitget, Metatrader, and OKX[}1].

[^1]: Bitdefender - Malvertising Campaign on Meta Expands to Android, Pushing Advanced Crypto-Stealing Malware to Users Worldwide