Full Report
Cybercriminals are abusing Meta's advertising platforms with fake offers of a free TradingView Premium app that spreads the Brokewell malware for Android. [...]
Analysis Summary
# Tool/Technique: Brokewell Android Malware
## Overview
Brokewell is an advanced Android malware that has been recently observed being distributed via malvertising campaigns impersonating the TradingView application. Its primary purpose is to steal sensitive cryptocurrency and financial data, monitor user activity, and provide remote control over the compromised device.
## Technical Details
- Type: Malware family
- Platform: Android
- Capabilities: Data theft (crypto, banking), 2FA bypass (Google Authenticator stealing), screen recording, keystroke logging, SMS interception, remote control (Tor/Websockets enabled).
- First Seen: Early 2024 (observed campaign active since at least July 22, 2025)
## MITRE ATT&CK Mapping
*Note: Mappings are based on described behavior, as specific C2 infrastructure details are limited.*
- **TA0005 - Defense Evasion**
- T1055 - Process Injection (Implied by its complex operation and permission acquisition)
- **TA0009 - Collection**
- T1119 - Collect Data from System Logs/Files (Implied by scanning for wallet data)
- T1560 - Archive Collected Data (Implied by exporting data)
- **TA0010 - Exfiltration**
- T1041 - Exfiltration Over C2 Channel (Implied via remote control capabilities)
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol (Use of Websockets and Tor)
## Functionality
### Core Capabilities
- **Financial Data Theft:** Scans for Bitcoin (BTC), Ethereum (ETH), and USDT wallet addresses, as well as IBANs (bank account numbers).
- **2FA Bypass:** Steals codes from Google Authenticator.
- **Overlay Attacks:** Lays fake login screens over legitimate apps to steal credentials.
- **Surveillance:** Records screens, logs keystrokes, steals browser cookies.
- **SMS Hijacking:** Intercepts messages, specifically targeting banking and 2FA codes.
### Advanced Features
- **Accessibility Abuse:** Requests and exploits Android Accessibility Services to gain deep control and hide its activities behind fake update prompts that capture the device PIN/lockscreen password.
- **Location Tracking:** Tracks the geographical location of the device.
- **Remote Control:** Can receive commands via Tor or Websockets.
- **Remote Actions:** Can send SMS messages, place calls, uninstall applications, and self-destruct.
- **Media Monitoring:** Activates the camera and microphone for monitoring.
## Indicators of Compromise
- File Hashes: [Not specified in the context]
- File Names: `tw-update.apk` (The dropped malicious file)
- Registry Keys: [Not applicable for Android context, but permissions/services utilized would be key]
- Network Indicators: Hosted at `tradiwiw[.]online/` (Defanged)
- Behavioral Indicators: Prompts for Accessibility permissions, displays fake system update screens requesting lockscreen PIN/password, establishes remote connections over Tor or Websockets.
## Associated Threat Actors
- The specific threat actor group is not named in the context, but the campaign is noted as part of a larger operation that previously targeted Windows users using similar malvertising tactics impersonating well-known brands.
## Detection Methods
- Signature-based detection: Unknown signatures provided, but file hash detection would be effective post-analysis.
- Behavioral detection: Monitoring for applications requesting Accessibility Services permissions, attempts to capture lock screen PINs, and connections to high-risk or Tor C2 infrastructure.
- YARA rules: [Not available in the context]
## Mitigation Strategies
- Prevention measures: Users should avoid installing applications from sources outside the official Google Play Store, especially when prompted via advertisements. Users must be highly cautious of ads promising free premium versions of legitimate software.
- Hardening recommendations: Strictly limit the permissions granted to applications, particularly Accessibility Services. Verify application sources before installing APKs.
## Related Tools/Techniques
- Previous iterations of this malware campaign targeted Windows users using similar malvertising tactics.
- The use of Accessibility Services for elevation of privilege positions Brokewell alongside other sophisticated Android banking Trojans.