Fake Trading Ads Spread Brokewell Malware

Cybersecurity researchers at Bitdefender have detected a sinister new twist in the evolving world of Android malware. They have uncovered a broader malvertising campaign on Meta platforms that now targets Android users worldwide, leveraging sophisticated impersonation and advanced malware trojans to turn a profit. This shift signals a deeper threat landscape for anyone using Android devices.

Bitdefender Labs reports that cybercriminals have shifted from targeting typical desktop environments to launching mobile-focused attacks through Meta's advertising infrastructure. Since 22 July 2025, the attackers have deployed at least 75 malicious ads posing as links to a free TradingView Premium app for Android users. The campaign has already reached tens of thousands across the European Union by 22 August 2025, according to Bitdefender's analysis.

The deceptive ads mimic the official branding and appearance of TradingView, a trusted name among online traders, trading cryptocurrencies, options, and fiat currency. Users receive the promise of premium trading tools, but instead receive an evolved version of the Brokewell malware—a banking trojan built for stealth and control, but more importantly, built to steal sensitive financial data that can result in victims having funds and crypto assets stolen.

The campaign explicitly targets Android. If a user clicks the ad from a desktop or non-Android device, the malicious content remains dormant; the system delivers harmless material instead. This selective activation ensures the malware spreads only to intended victims, evading detection in lab environments that might automatically analyze the campaign.

With its granular targeting options, Meta's advertising platform provides an ideal vehicle for such malicious campaigns. Threat actors can finely tune who sees the ad and, importantly, which operating system the ad's payload activates on. This results in making such attacks both highly effective and incredibly stealthy.

Inside Brokewell

Brokewell is not new. It surfaced in April 2024 when ThreatFabric researchers discovered it masquerading as a fake Google Chrome update. The malware exhibited advanced capabilities, including remote device control and comprehensive data collection. Other capabilities included:

• Overlay attacks that mimic login screens to steal credentials
• WebView-based interception of cookies
• Real-time capture of taps, swipes, text inputs, and on-screen content
• Device fingerprinting (collecting hardware and software details)
• Access to call logs and physical location
• Screen streaming and remote gesture execution (touch, swipe, scroll, click)
• Activation of screen and hardware buttons without user interaction

The new campaign's Brokewell variant has evolved. It can now specifically target cryptocurrency wallets or trading activity by embedding itself via fake TradingView apps. This allows it to steal stored crypto credentials or secretly monitor sensitive financial activity, then exfiltrate sensitive data when necessary.

This attack is not isolated. Bitdefender's broader research shows that Android continues to suffer from multiple malware threats beyond simply malicious apps on Google Play. In 2025, Bitdefender revealed a massive Android ad-fraud campaign infiltrating Google Play.

Researchers identified at least 331 apps that were cumulatively downloaded over 60 million times. These apps hid in plain sight, hiding their icons from launchers, delivering out-of-context ads, and executing phishing schemes for credentials and credit card information.

Threat actors deliberately use creative measures to bypass Google Play Protect. They strip app icons, initiate background activity without user initiation, and even alter previously benign apps post-publication. Android users face growing threats from hidden adware, credential thieves, and remote access trojans (RATs), including those of the banking variety.

This campaign illustrates how attackers increasingly target mobile platforms via trusted brands and advertising networks. Awareness and caution are essential. Here are some practical mitigation strategies Android users can apply that defend against a broad range of threats:

• Trust but verify: Users should avoid downloading apps outside official app stores or from unfamiliar sources, even if presented via ads on social media or search engines.
• Scrutinize offers: If an ad promises a free premium app, question it. Legitimate developers usually distribute apps via known channels.
• Install mobile security: Security apps that monitor behaviors (like Bitdefender's App Anomaly Detection) can catch sneaky post-install changes or overlay attacks.
• Keep systems updated: While Google Play Protect isn't foolproof, using the latest OS versions and patches helps block known vulnerabilities.
• Limit exposure: Disable sideloading unless absolutely necessary. Android's upcoming "Developer Verification" feature, rolled out to specifically prevent sideloaded malware, should help users avoid high-risk installations.
• Monitor accounts: For users active in crypto, enabling hardware wallets or two-factor authentication adds a layer of protection beyond passwords alone.

The latest malvertising campaign leveraging TradingView imagery to distribute Brokewell malware demonstrates how rapidly cyber threats evolve in mobile ecosystems. Researchers identified that the campaign began in late July 2025, and by late August, it had already compromised tens of thousands of Android users across the EU, and likely beyond.

This incident underscores that mobile devices, far from being "lesser" targets, remain prime avenues for cybercriminals. Their tactics continue to evolve, using refined social engineering, advanced malware, and targeted delivery systems like advertising networks. The stakes only rise as Android users increasingly rely on digital wallets and financial apps.

Staying vigilant, using recommended security tools, and scrutinizing anything that seems too good to be true will remain the bedrock of protection for everyday users navigating a rapidly shifting threat landscape.