A new malvertising wave is moving from desktops to phones. The platform: Meta’s ad network. The target: Android users. The prize: cryptocurrency.
Bitdefender Labs says attackers have shifted gears after months of hitting Windows. Now the lure is a fake TradingView Premium app, pushed through Facebook ads. The download doesn’t deliver charting software. It drops a trojan, an evolved strain of Brokewell.
This is no simple stealer. Once installed, it asks for deep device permissions. It hides behind update prompts, pushes for lock screen PINs, and overlays fake login screens. With those footholds, it can drain wallets, scrape 2FA codes, record screens, hijack SMS, and even activate the microphone or camera.
Communication runs over Tor and WebSockets. Control is near total.
The campaign has scale. At least 75 malicious ads ran between 22 July and 22 August. Tens of thousands of users in Europe alone were exposed. The branding was convincing: TradingView logos, polished visuals, even memes like Labubu stitched in.
Click on one of these ads from a desktop and you’ll see random content. Harmless. But follow the same ad on Android and you land on a cloned TradingView site, with a malicious APK waiting.
Bitdefender researchers pulled the samples apart. The app is obfuscated, loading extra code on the fly. Commands and overlays are localized in multiple languages: English, Spanish, German, Turkish, French, and more. It is tuned for global reach.
And this is just one branch of the operation. On Windows, the same network of ads has impersonated Binance, Ledger, eToro, Bybit, even Donald Trump. The playbook is clear: abuse Meta’s ad system, tailor lures to regions, and weaponize trust in known brands.
Why Android, why now? Mobile has become the hub for finance. Wallets, trading apps, and authenticator codes live there. One compromised phone can open the vault.
Bitdefender flags the Android malware as Android.Trojan.Dropper.AVV and Android.Trojan.Banker.AVM.
Detection is strong, but prevention matters most. Avoid sideloading apps. Watch URLs. Don’t trust every ad, even on familiar platforms. And if an app asks for accessibility or your lock screen PIN without reason, stop.
The shift from desktop to mobile is more than a pivot. It’s a signal. Threat actors go where the money is, and right now, that means the phone in your hand.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.