In recent weeks, cybersecurity researchers have identified a sophisticated malvertising campaign on Meta’s Facebook platform targeting Android users. The attackers are distributing deceptive advertisements that promise a free version of the TradingView Premium application. These ads closely mimic official TradingView branding and visuals, enticing unsuspecting users to download what appears to be a legitimate APK file. However, upon installation, the app deploys a highly advanced crypto-stealing trojan designed to exploit accessibility features and overlay techniques to harvest credentials, bypass two-factor authentication (2FA), and gain control over device functionality.
Campaign Overview
This campaign signifies a notable evolution in mobile-focused malvertising, illustrating how threat actors are adapting traditional desktop-oriented strategies to target the increasingly lucrative Android ecosystem. The malicious advertisements first surfaced on July 22, 2025, and quickly gained traction across Europe and other regions. The ads redirect users to a cloned webpage at new-tw-view[.]online, where they are prompted to download an APK from tradiwiw[.]online/tw-update.apk.
Upon installation, the dropper app immediately requests extensive permissions, masquerading as legitimate update prompts to coax users into enabling Accessibility Services and granting device administration rights. Bitdefender analysts observed that, in many instances, the dropper uninstalls its initial stub after deployment, leaving only the payload to evade detection.
By August 22, 2025, researchers had identified at least 75 unique ads deployed since late July, reaching tens of thousands of users in the European Union alone. The attackers localized their lures in over a dozen languages—including Vietnamese, Portuguese, Spanish, Turkish, and Arabic—to maximize reach and credibility.
Technical Analysis of the Infection Mechanism
The infection chain reveals a multi-stage process engineered for stealth and persistence. Upon execution, the dropper APK computes the MD5 checksum `788cb1965585f5d7b11a0ca35d3346cc` and unpacks an embedded payload with checksum `58d6ff96c4ca734cd7dfacc235e105bd`. The payload is stored as an encrypted DEX resource within the application. A native library dynamically retrieves decryption keys and loads the hidden classes via reflection, bypassing standard signature checks.
Once activated, the malware registers as an accessibility service, granting it the capability to monitor keystrokes, intercept 2FA tokens from Google Authenticator, and display fake login screens over banking and cryptocurrency applications. This approach allows the malware to harvest sensitive information and gain unauthorized access to financial accounts.
The malware achieves persistence by re-enabling accessibility services upon device reboot and concealing its icon from app drawers through `PackageManager.setComponentEnabledSetting`, preventing users from easily locating and removing the threat. This attack demonstrates a high degree of automation combined with precision targeting high-value assets on Android devices.
Broader Implications and Trends
This campaign reflects a broader trend in cybercrime: as smartphones become central to financial operations—housing crypto wallets, mobile banking apps, and authentication tools—the incentives for successful compromise increase dramatically. By weaponizing Facebook’s advertising infrastructure and exploiting in-depth knowledge of the Android permission model, threat actors have created a potent campaign capable of global reach and significant financial impact.
Similar tactics have been observed in other campaigns. For instance, cybercriminals have exploited Facebook ads to distribute malware disguised as free TradingView Premium applications, targeting Android users with crypto-stealing trojans. These deceptive ads mimic official branding to lure victims into downloading malicious APKs that harvest credentials and gain control over device functionality. ([cybersecuritynews.com](https://cybersecuritynews.com/threat-actors-weaponizing-facebook-ads-2/?utm_source=openai))
Additionally, threat actors have hijacked Facebook accounts to run extortion ads. In one notable case, ransomware operators compromised a company’s Facebook account to disseminate ads aimed at pressuring the victim into paying a ransom. This method not only amplifies the attack’s reach but also leverages the trust associated with legitimate social media accounts to deceive a broader audience. ([cybersecuritynews.com](https://cybersecuritynews.com/ransomware-operators-hacked-facebook-accounts-to-run-extortion-ads/?utm_source=openai))
Recommendations for Users
To mitigate the risks associated with such sophisticated malvertising campaigns, users are advised to:
1. Exercise Caution with Advertisements: Be skeptical of ads offering free versions of premium applications, especially those that prompt downloads from unfamiliar sources.
2. Verify App Sources: Only download applications from official app stores or the official websites of trusted developers.
3. Review Permissions: Scrutinize the permissions requested by any application. Be wary of apps requesting extensive access, such as device administration rights or accessibility services, without a clear justification.
4. Keep Software Updated: Regularly update your device’s operating system and applications to patch known vulnerabilities.
5. Utilize Security Solutions: Employ reputable mobile security software to detect and prevent malware infections.
6. Enable Two-Factor Authentication: While some malware can intercept 2FA tokens, enabling this feature adds an additional layer of security and can deter less sophisticated attacks.
By remaining vigilant and adopting these practices, users can significantly reduce their exposure to malicious campaigns that exploit trusted platforms like Facebook to distribute malware.
