A sophisticated malvertising campaign on Facebook is actively distributing Brokewell spyware to Android users, primarily through fake ads that mimic official branding, especially targeting the TradingView platform with promises of high-value items.

Cybersecurity researchers have uncovered that this campaign uses a multi-stage infection process involving cryptographic checks, dynamic class loading, and stealth techniques such as hiding app icons and re-enabling accessibility services after reboot to evade detection.

Once installed, the spyware can record screen activity, log keystrokes, access the device's camera and microphone, and intercept sensitive messages, including banking and security codes, making it highly invasive.

The malware employs techniques like overlay tactics and accessibility abuses to steal credentials, bypass two-factor authentication, and take control of the device, often using fake update prompts to gain necessary permissions.

Attackers have localized their lures in over a dozen languages, including Vietnamese, Portuguese, Spanish, Turkish, and Arabic, to maximize their reach across diverse regions.

The campaign, which began around late July 2025, rapidly spread across Europe and other regions, with at least 75 unique ads reaching tens of thousands of users in the EU alone.

The malicious ads mimic official branding and visuals, redirecting victims to cloned webpages where they download malicious APKs that request high-level permissions through fake update prompts.

These APKs deploy advanced malware capable of stealing cryptocurrencies, bypassing two-factor authentication, and maintaining persistent control over infected devices.

This campaign exemplifies a broader trend of weaponizing mobile platforms, especially as smartphones become central to financial transactions like crypto wallets and banking apps.

The Brokewell spyware has been active since early 2024, previously spreading via fake Chrome updates before evolving into this targeted Facebook ad campaign.

The campaign demonstrates high levels of automation and precision, leveraging Facebook’s ad infrastructure and detailed knowledge of Android permissions to target high-value assets effectively.

Security experts recommend users avoid clicking on social media ads, scrutinize URLs carefully, review app permissions, avoid sideloading from unofficial sources, and remain cautious even on trusted platforms like Facebook.