Cybercriminals are constantly evolving their tactics, and a recent campaign highlights a dangerous shift toward mobile users.¹ A new variant of the Brokewell Android malware is being distributed through fake ads for the popular financial charting platform, TradingView. This highly advanced threat poses a significant risk to anyone who uses an Android device for trading or other financial activities.²

How the Attack Works 🎣

The attack chain begins with malicious ads, often found on social media platforms like Facebook.³ These ads are designed to look legitimate, using TradingView’s branding and promising a free “Premium” app for Android. When a user clicks on one of these ads, they are redirected to a cloned webpage that looks almost identical to the official TradingView site.

Unsuspecting users who attempt to download the app from this fake site are actually downloading a malicious .apk file.⁴ Once the app is installed, it immediately starts requesting powerful permissions, particularly Accessibility Services.⁵ The app often uses a fake update prompt to hide what it’s doing in the background, which is granting itself all the permissions it needs to take over the device.⁶

What Makes Brokewell So Dangerous 💥

Brokewell is a sophisticated malware, acting as a full-fledged spyware and Remote Access Trojan (RAT).⁷ Unlike simple banking Trojans, it gives attackers a wide range of control over the infected device.⁸ Its capabilities include:

• Crypto and Financial Theft: The malware can scan for a variety of financial information, including cryptocurrency wallet addresses (BTC, ETH, USDT), and International Bank Account Numbers (IBANs).⁹ It uses overlay attacks to display fake login screens on top of legitimate banking or crypto apps to steal credentials.¹⁰
• Complete Device Takeover: Brokewell can stream the device’s screen in real time, record audio, and log all user actions like keystrokes, touches, and swipes.¹¹ It can even bypass the lock screen by tricking the user into entering their PIN on a fake screen.¹²
• Bypassing Security: The malware uses a loader to bypass security restrictions on modern Android versions (13 and above).¹³ It’s constantly being updated, with new commands and features added regularly, making it a persistent and evolving threat.¹⁴

This level of control allows attackers to commit fraud directly from the victim’s device, making it incredibly difficult for traditional fraud detection systems to flag the activity as malicious.¹⁵

How to Protect Yourself 🛡️

Staying safe from threats like Brokewell requires vigilance and proactive security measures.¹⁶

• Avoid Third-Party App Stores: Only download apps from official and trusted sources like the Google Play Store. Never download an app from a link in an ad or a third-party website, even if it looks official.
• Be Skeptical of Ads: Be cautious of social media ads, especially those that promise “free” premium versions of popular apps. If an offer seems too good to be true, it probably is.
• Check Permissions Carefully: When installing a new app, especially one that’s not from the Google Play Store, pay close attention to the permissions it requests. Be extremely wary of any app that asks for Accessibility Services permission, as this is a common way for malware to gain control.
• Keep Your Device Updated: Ensure your Android operating system and all your apps are up to date.¹⁷ Security patches are crucial for protecting against new vulnerabilities.¹⁸
• Use Mobile Security Software: Install a reputable mobile antivirus or security solution to help detect and block malware.¹⁹