Full Report
Many people believe that smartphones are somehow less of a target for threat actors. They couldn’t be more wrong. Bitdefender Labs warns that cybercriminals are doubling down on spreading malware through Meta’s advertising system. After months of targeting Windows desktop users with fake ads for trading and cryptocurrency platforms, hackers are now shifting towards Android users worldwide. Bitdefender researchers recently uncovered a wave of malicious ads on Facebook that lure targets with pro
Analysis Summary
# Tool/Technique: Evolved Brokewell Malware (Crypto-Stealing RAT)
## Overview
An advanced, evolved version of the Brokewell malware, distributed via a wide-reaching malvertising campaign on Meta platforms targeting Android users worldwide. Its primary purpose is credential theft, surveillance, and remote control, with a specialized focus on cryptocurrency theft.
## Technical Details
- Type: Malware family (Spyware/RAT, evolved Brokewell)
- Platform: Android
- Capabilities: Comprehensive surveillance, accessibility abuse, 2FA bypass, crypto credential theft, remote command execution via Tor/WebSockets.
- First Seen: Campaign active since at least July 22, 2025 (based on ad activity dates mentioned).
## MITRE ATT&CK Mapping
*Note: Mappings are inferred based on described capabilities.*
- T1059 - Command and Scripting Interpreter
- T1059.001 - PowerShell (Applicable if internal scripting is used, but focus is on Android framework calls)
- T1219 - Remote Access Software (RAT capabilities)
- T1056 - Input Capture
- T1056.001 - Keylogging
- T1003 - OS Credential Dumping
- T1003.002 - Stored Credentials (Relevant to credential harvesting)
- T1539 - Data from Local System (For crypto addresses, IBANs)
- T1547 - Boot or Logon Autostart Execution (Implied persistence mechanism through accessibility)
- T1119 - Automated Collection (Accessibility Service abuse)
## Functionality
### Core Capabilities
- **Crypto Theft**: Scans the device for cryptocurrency wallets (BTC, ETH, USDT) and IBANs.
- **SMS Interception**: Hijacks the default SMS application to intercept banking and Two-Factor Authentication (2FA) messages.
- **Accessibility Abuse**: Requests and utilizes Accessibility Service permissions to gain deep control over the device, often concealed behind fake update prompts.
- **Dropper Functionality**: The initial application setup involves decrypting and executing a second, packed APK file, subsequently uninstalling the dropper to hide initial execution tracks.
### Advanced Features
- **2FA Bypass**: Scrapes and exports codes generated by Google Authenticator.
- **Account Takeover**: Capable of overlaying fake login screens on legitimate applications.
- **Surveillance**: Includes screen recording, keylogging, cookie theft, activation of the camera and microphone, and live location tracking.
- **Remote Control**: Communicates with C2 servers using Tor and WebSockets to receive commands, such as sending SMS, making calls, uninstalling applications, or executing a self-destruct command.
- **Multilingual Support**: Contains strings for permission requests in numerous languages (English, Spanish, Portuguese, German, French, Italian, Turkish, Finnish, etc.).
## Indicators of Compromise
- File Hashes:
- Initial APK MD5: `788cb1965585f5d7b11a0ca35d3346cc`
- Dropped/Packed APK SHA256 (Inferred from MD5): `58d6ff96c4ca734cd7dfacc235e105bd` (Note: The article lists this as an MD5 for the packed APK in one sentence, but the context implies the second hash is the packed APK identifier, likely SHA256 despite the confusing notation in the source).
- File Names: Malicious `.apk file` delivered as a fake TradingView Premium app.
- Registry Keys: N/A (Android Platform)
- Network Indicators: C2 communication utilizes **Tor** and **WebSockets**.
- Behavioral Indicators: Immediately requests Accessibility access; displays fake update prompts post-access grant; overlays WebView prompts (e.g., prompting for Venmo installation); attempts to harvest lock screen PINs.
## Associated Threat Actors
- Threat actors utilizing commodity malvertising campaigns focused on financial theft, targeting cryptocurrency users. The description does not explicitly name a specific established threat group, but frames it as cybercriminals leveraging sophisticated tools.
## Detection Methods
- Signature-based detection: File hash matching for the initial and dropped APKs.
- Behavioral detection: Monitoring for applications requesting Accessibility Services permission immediately after installation, especially when masked by fake prompts, and attempts to intercept SMS or interact with Google Authenticator.
- YARA rules if available: Specific string decryption patterns or unique code structure from the evolved Brokewell routines.
## Mitigation Strategies
- **User Education**: Increase awareness regarding malvertising campaigns, especially those promising "premium" software for free via social media ads.
- **App Scrutiny**: Exercise extreme caution when granting Accessibility permissions; verify the legitimacy of update prompts outside the expected application flow.
- **Platform Hardening**: Restrict installation of applications from sources outside trusted official app stores (although this campaign relies on tricking users into sideloading).
- **Security Measures**: Deploy advanced mobile threat defense solutions capable of detecting dynamic payload extraction and C2 communication over Tor.
## Related Tools/Techniques
- Brokewell malware (The predecessor/base family).
- General Crypto-Stealing Trojans targeting Android.
- Automated overlay attacks utilizing system permissions (common in high-end Android malware).
- EyeSpy (Mentioned in related reading, indicating similar sophisticated spyware campaigns exist).