Hackers Exploit Meta Ads With Fake TradingView Premium App to Spread Android Malware

Cybercriminals are running a new ad scam across Meta’s platforms, luring users with free TradingView Premium offers that secretly install Brokewell malware on Android devices. The campaign, active since July, has been traced to at least 75 localized ads and is now being flagged as a serious threat to cryptocurrency investors.

A Trap Disguised as TradingView

Bitdefender researchers uncovered the operation this week. Fake ads used TradingView’s branding, colors, and professional-style visuals to hook mobile users. But the catch? The download link didn’t lead to TradingView’s site. Instead, Android users were redirected to a counterfeit page delivering a malicious file named tw-update.apk.

Those who installed it unknowingly gave the malware everything it needed. The fake app immediately requested accessibility permissions, then pushed a full-screen fake “system update” prompt. Behind the scenes, it quietly granted itself sweeping device controls.

One researcher put it bluntly: “The malware hides behind what looks like a regular update, but in reality, it’s opening the door for attackers to take over the phone.”

Designed for Mobile, Ignored on Desktop

An unusual detail stood out in Bitdefender’s analysis. The campaign was fine-tuned to strike only mobile users. Anyone clicking the same ad on Windows or iOS would see harmless content—basically a decoy.

On Android though, the trap was sprung. Victims saw a TradingView lookalike website, complete with branding, logos, and copycat design. The sophisticated targeting makes sense: most cryptocurrency users check trading apps on their phones, not desktops.

What Brokewell Can Do

The malware at the center of this scam, Brokewell, isn’t new. It’s been tracked since early 2024, but this version is described as “an advanced build” with one of the broadest toolsets researchers have seen on mobile.

Its list of capabilities reads like a hacker’s wishlist:

• Steals Bitcoin, Ethereum, and Tether wallet data, as well as bank account details

• Extracts Google Authenticator codes, effectively bypassing two-factor authentication

• Creates fake login screens to steal exchange and banking credentials

• Records everything from keystrokes to screen activity

• Activates the camera and microphone remotely

• Tracks GPS location in real time

• Hijacks the default SMS app to grab verification codes

• Uses Tor and Websockets for covert remote control, letting attackers send texts, place calls, uninstall apps, or even wipe themselves to cover tracks

Bitdefender says their researchers documented more than 130 commands supported by the malware.

A Broader Operation

The use of fake TradingView ads may just be the latest phase. According to Bitdefender, earlier waves of the same campaign targeted Windows users with Facebook ads impersonating dozens of well-known brands. This shows the operators behind Brokewell are testing multiple entry points across platforms.

The Android campaign, however, seems laser-focused on cryptocurrency holders. By grabbing wallet addresses, intercepting SMS codes, and recording every screen, attackers position themselves to drain digital assets in one swoop.

Growing Risk for Crypto Investors

The attack highlights a rising trend: crypto investors remain prime targets for cybercrime. Just this summer, FBI alerts warned of malware hidden in fake trading apps. With billions locked in digital assets and mobile phones often acting as the key, scams like this are expected to escalate.

For Meta, it’s another black eye. The company has already faced criticism over malicious ads on Facebook and Instagram. Despite policies banning them, sophisticated campaigns keep slipping through.

Security analysts warn the fake TradingView scheme shows how easy it is for criminals to exploit trust in well-known financial tools. As one Bitdefender researcher put it, “If they can turn TradingView into bait, they can do it with any major app.”