# Crooks Exploit Meta Malvertising to Target Android Users with Brokewell
In a concerning development, cybercriminals have been exploiting Meta's malvertising platform to target Android users with the Brokewell malware. This malicious campaign, which began in July 2024, has seen at least 75 fake ads distributed via cloned sites, luring unsuspecting users into downloading and installing the trojanized app.
## The Brokewell Malware
The Brokewell malware is a sophisticated spyware and remote access trojan (RAT) that supports extensive capabilities to monitor, control, and steal sensitive data. According to Bitdefender researchers, the malicious Android app is highly obfuscated, using techniques such as native libraries, reflection, and JSON configuration to hide most of its code.
Once installed, the Brokewell malware requests accessibility permissions, hides behind fake update prompts, and tricks users into giving lock screen PINs. It then deploys the malware, which communicates with C2 servers via Tor and WebSocket, supporting extensive commands for espionage, including clipboard and email scraping, keylogging, camera/microphone access, geolocation tracking, SMS/call control, crypto wallet theft, system manipulation, and stealth/uninstall protections.
## Advanced Capabilities
The Brokewell malware is a full-fledged spyware and RAT with a vast arsenal of tools designed to monitor, control, and steal sensitive information from the victim's device. Its capabilities include:
- Insecure clipboard and email scraping - Keylogging - Camera and microphone access - Geolocation tracking - SMS and call control - Crypto wallet theft - System manipulation - Stealth and uninstall protections
In addition to these features, the Brokewell malware also supports advanced device operations like VNC streaming, device mode toggles, overlay injection, and remote execution. This makes it a highly versatile and comprehensive surveillance and control tool.
## The Threat
The Brokewell malware is particularly dangerous because of its ability to monitor and control sensitive information on the victim's device. According to Bitdefender, "Once installed, the malware reveals itself as far more than a simple credential stealer. It’s an advanced version of the Brokewell malware, a full-fledged spyware and remote access trojan (RAT) with a vast arsenal of tools designed to monitor, control, and steal sensitive information from the victim's device."
## Prevention and Mitigation
To avoid falling prey to this malicious campaign, experts recommend taking several precautions:
- Only install apps from official stores - Avoid suspicious ads and cloned sites - Check URLs before downloading or installing anything - Review app permissions carefully
As Bitdefender notes, "This expansion signals an alarming trend: mobile users are no longer safe from malvertising campaigns that once primarily targeted desktops. The combination of brand impersonation, localized ads, and sophisticated malware capabilities makes this campaign especially dangerous."
In particular, the rise of mobile banking, crypto wallets, and 2FA apps on smartphones has raised the stakes, as a single compromised Android device can hand over access to a victim's finances, personal communications, and sensitive accounts.
Stay vigilant and keep your devices secure!
Follow me on Twitter: @securityaffairs Facebook: @securityaffairs Mastodon: