Meta Malvertising Campaign Spreads Android Crypto-Stealing Malware
A sophisticated malvertising campaign targeting Meta’s ad network has expanded from Windows to Android users worldwide, deploying an advanced version of the Brokewell malware disguised as TradingView’s premium app[1].
Since July 22, 2025, cybercriminals have launched over 75 malicious Facebook ads, reaching tens of thousands of users across the European Union[1:1]. The campaign tricks victims into downloading a malicious APK from fake domains that mimic TradingView’s official website.
The malware, an enhanced strain of Brokewell, functions as both spyware and a remote access trojan (RAT) with capabilities including:
- Cryptocurrency theft (BTC, ETH, USDT)
- SMS interception for banking and 2FA codes
- Google Authenticator data extraction
- Screen recording and keylogging
- Camera and microphone activation
- Remote command execution via Tor and WebSockets[1:2]
The attackers have localized their ads in multiple languages including Vietnamese, Portuguese, Spanish, Turkish, Thai, Arabic and Chinese to maximize reach[1:3]. While the Android campaign currently focuses on impersonating TradingView, the Windows version has mimicked numerous brands including Binance, Bitget, Metatrader, and OKX[1:4].
It would maybe be safer on a custom OS because less malware would target it, but exploits can still exist, at this point I’d say you also should really be using a dedicated device for crypto wallet stuff if you have more than small amounts, whether that’s a purpose built hardware wallet, an old phone you reset and have only the wallet app on, etc.