Hackers Using Facebook Ads Baiting Free TradingView Premium to Install Malware on Android Devices
A sophisticated malvertising campaign has been uncovered on Meta's Facebook platform, targeting Android users with a fake TradingView Premium app. This insidious campaign, which first surfaced on July 22, 2025, has quickly gained traction across Europe and beyond, reaching tens of thousands of users in the EU alone.
The attackers have localized their lures in over a dozen languages, including Vietnamese, Portuguese, Spanish, Turkish, and Arabic, to maximize reach and credibility. The malicious ads mimic official TradingView branding and visuals, offering a free TradingView Premium application.
Upon clicking these ads, users are redirected to a cloned webpage at new-tw-view[.]online, where they download an APK from tradiwiw[.]online/tw-update.apk. Upon installation, the dropper immediately requests powerful permissions, masquerading as legitimate update prompts.
The infection mechanism involves a multi-stage process designed for stealth and persistence. Persistence is achieved by re-enabling accessibility services on reboot and hiding its icon from app drawers. The malicious updater class is dynamically loaded, which may evade static analysis tools.
Once installed, the app unleashes a crypto-stealing trojan that harvests credentials, bypasses two-factor authentication, and seizes control of device functionality. A native library dynamically retrieves decryption keys and loads the hidden classes via reflection, bypassing standard signature checks. The malware registers as an accessibility service, granting it the ability to monitor keystrokes, intercept 2FA tokens, and display fake login screens over banking and crypto apps.
The payload is encrypted and stored as a DEX resource within the application. The attackers have weaponized Facebook's ad infrastructure to create a potent campaign capable of global reach and significant financial impact. This attack demonstrates a high degree of automation combined with manual-grade precision in targeting high-value assets on Android devices.
To stay secure, organizations and individuals must scrutinize app sources, verify URLs, and limit sideloading to trusted repositories. This campaign marks a significant evolution in mobile-focused malvertising, demonstrating how threat actors adapt traditional desktop-oriented strategies to increasingly lucrative Android ecosystems.
While no specific individual or company responsible for its development has been publicly identified, it is clear that cybercriminal groups have been exploiting Meta's advertising system since July 2024. The Brokewell malware, from which this new Trojan is an evolved form, remains a significant concern in the cybersecurity community.
