Facebook malware campaign targets crypto platforms and Android
Bitdefender warns of a global malvertising campaign on Facebook that wants to obtain the crypto values of Android users.
Google Android bugdroid before lock icon.
(Image: Primakov/Shutterstock.com)
Malicious Facebook ads are targeting Android users who are active on crypto platforms. The masterminds are trying to steal the crypto assets of potential victims.
The antivirus company Bitdefender is currently warning against this. According to the company, there seems to be a general belief that smartphones are less likely to be targeted by criminals, which is a fatal misconception. Bitdefender is now warning that cyber criminals are increasingly distributing malware via Meta's advertising system. After months of Windows desktop users being the main target of fake advertising for trading and crypto platforms, attackers are now increasingly targeting Android users worldwide.
Malicious advertising campaign on Facebook
A supposedly free "TradingView Premium" app for Android was discovered by analysts in a wave of malicious ads on Facebook. TradinView is a well-known app whose logo and appearance are misused by the attackers. Instead of legitimate software, however, the ad delivers a crypto-value-stealing Trojan. It is an advanced version of the Brokewell malware.
(Image:Â Bitdefender)
The malware campaign has been running since July 22, 2025, and included at least 75 malicious advertisements. In the EU alone, it had reached tens of thousands of users by last weekend. In the fake ads, the masterminds promise potential victims that they can use the premium subscription for free.
Clicking on the ad directs interested parties to a cloned website that mimics the look of the official TradingView website and downloads a malicious .apk file "tw-update.apk". After installation, the app requests extensive permissions. The malware app even tries to access the lock screen PIN.
Videos by heise
However, it is more than just an info stealer that taps into access data. The malware is a full-fledged spyware and Remote Access Trojan (RAT) at the same time, explains Bitdefender. It is capable of crypto theft and searches for BTC, ETH, USDT, IBANs and more. It can steal 2FA codes from Google's Authenticator, take over accounts by displaying fake log-in pages, monitor the smartphone and record the screen, act as a keylogger, intercept SMS, and be remotely controlled by the attackers. Bitdefender considers the malware to be one of the most advanced threats seen in malvertising campaigns to date.
Multilingual malware
In addition to English, the malware has native translations for Arabic, Chinese, Indonesian, Portuguese, Spanish, Thai, Turkish, Vietnamese, and others. Several samples also spoke Bulgarian, French, Romanian and other languages. So far, the analysts have only discovered malicious ads imitating TradingView, but expect this to expand in the near future. The analysis still contains some Indicators of Compromise (IOCs) that interested parties can look for.
Last week, Zscaler's ThreadLabz reported malicious apps in the Google Play Store that were infected with the Anatsa malware. They also targeted assets by analyzing the online banking and crypto management apps on the device and interposing phishing pages in the form of fake login pages. In total, 77 malicious apps have been installed more than 19 million times.
The criminal gangs are always creative in their search for new scams. In June, for example, attempts by cyber criminals to place advertisements on instructions for standard commands became known. However, instead of the desired parameter lists, the instructions returned commands that lead to the installation of Infostealer malware.
(dmk)
