28.08.2025
2 min
1
557
Cybercriminals are using Meta ad platforms to spread fake offers of “free TradingView Premium” on Android. Instead of the app, users are getting a new version of the Brokewell malware that can steal data, track actions, and completely control the device. The attack has been ongoing since at least July and includes over 75 localized ads that mimic the TradingView brand. A visit from an Android mobile device leads to a fake website that downloads the malicious tw-update.apk file.
Once installed, the app requests accessibility rights, displays a fake “update” window, and grants itself all necessary permissions in the background. It also attempts to obtain an unlock PIN by masquerading as an Android system prompt.
The capabilities of the new Brokewell include:
theft of BTC, ETH, USDT, and bank details;
intercepting codes from Google Authenticator (bypassing 2FA);
overlaying fake forms to steal accounts;
recording the screen, keyboard, microphone and camera;
monitoring SMS, calls, installing or uninstalling applications;
control via Tor or WebSockets.
Brokewell first appeared in early 2024 and already then demonstrated a wide range of spying features. According to Bitdefender, the current campaign is part of a larger operation that began with fake Facebook ads to infect Windows. The focus is now on mobile users and cryptocurrency assets, which makes the threat particularly dangerous.
The Brokewell distribution campaign proves that even legal advertising platforms can be tools for cybercriminals. Users should download applications only from official sources, check permissions and avoid suspicious “premium offers”. Brokewell demonstrates how quickly mobile malware is evolving into a multi-functional platform for data theft and complete device control.
