Cybercriminals are increasingly turning their sights from desktop to mobile, exploiting Meta’s advertising platform to distribute a sophisticated Android banking trojan disguised as a free TradingView Premium app.
Bitdeffinisher Labs warns that these threat actors have shifted tactics after months of tarreceiveing Windows applyrs with fake trading and cryptocurrency ads, now focutilizing worldwide on smartphone owners.
Since 22 July 2025, researchers have identified at least 75 Facebook ads promising a free premium version of TradingView for Android.
By 22 August, these ads had reached tens of thousands of applyrs across the European Union. Ads feature official TradingView branding and familiar visuals—including a variant paired with a whimsical Labubu mascot—to entice clicks.
Desktop applyrs who fall outside the tarreceiveed Android segment are redirected to innocuous content, while mobile applyrs are taken to a cloned site at new-tw-view[.]online, where they download an infected .apk file from tradiwiw[.]online/tw-update.apk.
Once installed, the dropper (MD5 788cb1965585f5d7b11a0ca35d3346cc) unpacks a packed APK (58d6ff96c4ca734cd7dfacc235e105bd) that immediately requests extensive permissions, including full accessibility access.
Fake “update” prompts minquire the request, and the app applys overlays on common apps like YouTube to trick applyrs into downloading additional malicious tools such as a fake Venmo installer. After the victim grants permissions, the dropper uninstalls itself, erasing evidence of its role
Analysis displays the payload is an evolved version of the Brokewell spyware and remote access trojan (RAT). Capabilities include:
- Crypto theft: Scanning for Bitcoin, Ethereum, USDT, IBANs and more.
- 2FA bypass: Scraping codes from Google Authenticator.
- Account takeover: Overlaying fake login screens.
- Surveillance: Recording screens, keylogging, stealing cookies, activating camera and microphone, live location tracking.
- SMS interception: Hijacking default SMS apps to capture banking and authentication codes.
- Remote control: Communicating over Tor and WebSockets, executing commands to sfinish SMS, place calls, uninstall apps, or self-destruct.
The app is heavily obfuscated, leveraging two native libraries to decrypt and load a hidden .dex resource at runtime.
A JSON configuration defines overlay tarreceives on popular apps, and C2 communication occurs via both Tor and secure WebSocket channels.
Extfinished command support spans everything from clipboard dumping (doGETCLIPBOARDVAL) to enabling developer options, toggling device settings, and capturing front- and back-camera streams.
This Android wave is part of a broader malvertising operation that initially tarreceiveed desktop applyrs across dozens of brands—from Binance, Bitreceive, and Bybit to eToro, Ledger, and Revolut—as well as public figures like former U.S. President Donald Trump.
Ads are localized in languages including Vietnamese, Portuguese, Spanish, Turkish, Thai, Arabic, Chinese, and more, often aligning with regional brand popularity (e.g., Lemon.me in Latin America, Exness in Thailand, Blackbull in Asia-Pacific)
Mitigations
Bitdeffinisher Mobile Security for Android currently flags the dropper as Android.Trojan.Dropper.AVV and the payload as Android.Trojan.Banker.AVM. Windows components of the campaign are detected as Generic.MSIL.WMITinquire (droppers) and Generic.JS.WMITinquire (front-finish scripts). To stay safe:
- Only install apps from official stores like Google Play
- Scrutinize Facebook ads and seealike domains before clicking
- Carefully review app permissions, especially accessibility and lock-screen PIN requests
- Use Bitdeffinisher’s Scamio chatbot or Link Checker to verify suspicious links
- Employ a trusted mobile security solution to block these threats before installation
As mobile banking and cryptocurrency usage grow, this campaign underscores a dangerous evolution: smartphones are no longer secondary tarreceives but prime delivery mechanisms for advanced malware. Vigilance against malvertising has never been more critical.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
Leave a Reply