Hackers are exploiting Meta’s ad network with fraudulent promotions of a free TradingView Premium app that secretly installs the Brokewell malware on Android devices. This malicious campaign, active since July 22, has been tracked across roughly 75 localized ads and primarily targets cryptocurrency users.
Originally detected in early 2024, Brokewell is a versatile threat capable of stealing personal data, monitoring devices, and granting attackers remote control. According to Bitdefender, the scheme is tailored for mobile users—when clicked from Android, victims are redirected to a counterfeit TradingView page that distributes a malicious APK file from tradiwiw[.]online.
Once installed, the app requests accessibility permissions, hides behind a fake update prompt, and covertly grants itself extensive privileges. It even attempts to capture the device’s lockscreen PIN by simulating a system update.
The latest variant of Brokewell has a wide toolkit: searching for crypto wallets and bank accounts, stealing two-factor authentication codes, overlaying fake login pages, recording keystrokes and screens, hijacking SMS apps, activating the camera or microphone, and even self-destructing on command. Bitdefender notes that it supports over 130 remote commands via Tor and Websockets, making it highly dangerous.
The researchers also highlighted that this campaign is part of a broader operation, which previously used fake Facebook ads mimicking major brands to compromise Windows systems.
