Cybersecurity experts have uncovered a sophisticated malvertising campaign that has been targeting Android users across Europe and other regions. The threat actors behind this operation have been leveraging Meta’s Facebook platform to disseminate ads that promise a free TradingView Premium application. However, these ads are part of a deceptive ruse designed to distribute Android malware.
To lure unsuspecting users, the ads adeptly mimic official TradingView branding, redirecting victims to a clone webpage, new-tw-view[.]online, where an APK file is downloaded from tradiwiw[.]online/tw-update.apk. This APK is anything but benign; once installed, it deploys a crypto-stealing trojan. This malicious software takes advantage of Accessibility Service abuses and overlay techniques to harvest user credentials and intercept two-factor authentication tokens from Google Authenticator.
Technical Details and Dissemination
The malware initially disguises itself as a legitimate app update, immediately requesting powerful permissions. These include enabling Accessibility Services and granting device administration rights. Often, the malware uninstalls its initial stub to evade detection, making it more challenging to remove.
Discovered on July 22, 2025, the campaign quickly spread, with Bitdefender reporting at least 75 unique ads since late July, impacting tens of thousands of users. The attackers were strategic in their approach, localizing the lures in multiple languages, including Vietnamese, Portuguese, Spanish, Turkish, and Arabic, thereby broadening their reach.
From a technical standpoint, the dropper APK computes an MD5 checksum of 788cb1965585f5d7b11a0ca35d3346cc and unpacks an embedded payload with a checksum of 58d6ff96c4ca734cd7dfacc235e105bd. The payload is stored as an encrypted DEX resource. A native library is employed to retrieve decryption keys and load hidden classes via reflection with the DexClassLoader, circumventing signature checks.
Malware Capabilities and Impact
Once operational, the malware registers itself as an accessibility service, monitoring keystrokes and potentially displaying counterfeit login screens over legitimate banking and cryptocurrency applications. It is engineered to persist by re-enabling accessibility on reboot and hiding its icon using the PackageManager.setComponentEnabledSetting.
By weaponizing Facebook's ad infrastructure and adapting adeptly from desktop-oriented techniques to the Android environment, these threat actors have crafted a campaign with considerable global reach and potential financial repercussions.
In light of these developments, users and organizations in the affected regions and beyond are advised to be vigilant. Scrutinizing the sources of applications, verifying URLs, and restricting sideloading to trusted repositories are crucial steps in defending against such high-impact Android malware activities.
