Cybercriminals abuse Meta advertising platforms with false offers of a premium free tradingView application that broadcasts Brokewell malware for Android.
The campaign targets the assets of cryptocurrencies and has been taking place for at least July 22 through 75 localized ads.
Brokewell has existed since the beginning of 2024 and has a large set of capabilities that include sensitive data theft, remote monitoring and compromised device control.
Take control of the device
Researchers from the Bitdefender Cybersecurity Company inquired of campaign advertisements, which use the TradingView brand and visuals and attract potential victims with the promise of a free premium application for Android.
Bitdefender eyebrow
They note that the campaign has been specially designed for mobile users, as access to the announcement from another operating system would lead to harmless content.
By clicking on Android, however, redirected to a web page imitating the original tradingView site which provided a malicious Tw-update.apk Hosted file at tradiwiw[.]online/
“The deleted application requires accessibility, and after receiving it, the screen is covered with a false update prompt. In the background, the application gives itself all the authorizations it needs,” say the researchers in a report this week ..
In addition, the malicious application also tries to get the pin to unlock the device by simulating an Android update request which needs the locking password.
Source: Bitdefender
According to Bitdefender, the false tradingview application is “an advanced version of the Brokewell malware” which comes “with a large arsenal of tools designed to monitor, control and steal sensitive information:”
- Scans for BTC, ETH, USDT, Banking account numbers (Ibans)
- Fly and export the codes of Google Authenticator (bypass 2FA)
- Flaw the account by superimposing false connection screens
- Save the screens and keys, steals cookies, activates the camera and the microphone and follows the location
- Divert the default SMS application to intercept messages, including banks and 2FA codes
- Remote control – can receive orders on TOR or WebSockets to send SMS, make calls, uninstall applications or even self -destruct
The researchers give a technical overview of the operation of malware and an extensive list of supported orders which includes more than 130 lines.
Bitdefender says that this campaign is part of a wider operation that initially used imitant Facebook advertisements “dozens of well -known brands” to target Windows users.
