This Android Malware Is Spreading Through Facebook Ads

This Android Malware Is Spreading Through Facebook Ads

Briefly

"Threat actors are once again using Meta's advertising platform to distribute malware. This time, it's a form of Android spyware known as Brokewell, and it's spreading through a malvertising campaign on Facebook. According to researchers at Bitdefender, cybercriminals are running ads that promise free access to TradingView Premium, a market tracking and investment app, for Android mobile users. Clicking on the fraudulent ads, which use TradingView's branding and, in some cases, images of Labubus, leads to users downloading and installing malware on their devices."

"As the Bitdefender report outline, this malvertising attack tricks users into clicking Facebook ads that appear to be for TradingView, but the links go to a cloned website, which initiates a download of a malicious .apk file to the user's device. The dropped app requests broad accessibility permissions while showing the user a series of fake update prompts, including one that requests the device's lock screen PIN. Once permissions are granted, the dropper uninstalls itself to avoid detection."

"The malware itself is an advanced spyware and remote access trojan (RAT) that has a range of capabilities: Crypto theft Scraping and exporting two-factor authentication (2FA) codes from Google Authenticator Overlaying fake login screens for account takeover Surveillance, such as keylogging and screen recording Intercepting SMS messages to steal banking and 2FA codes Remote device control This specific scheme targets Android mobile users-if someone on Windows desktop or MacOS clicks on a fake TradingView ad, they'll see benign content instead of the malicious cloned site."