Overview

• Bitdefender reports at least 75 fake TradingView Premium ads since July 22 that targeted Android users and are still active across the EU.
• Clicks from Android redirected to spoofed TradingView pages hosting a malicious tw-update.apk on lookalike domains such as tradiwiw.online.
• Upon installation, the app seeks accessibility rights, displays a fake update screen to grant itself broad permissions, and attempts to capture the lockscreen PIN.
• The payload is an evolved Brokewell RAT capable of overlay credential theft, scraping Google Authenticator codes, keylogging, screen and audio capture, SMS interception, and crypto wallet targeting.
• Command-and-control traffic runs over Tor and WebSockets with remote actions like sending texts, placing calls, uninstalling apps, and self-destructing, prompting guidance to avoid sideloading, verify URLs, limit permissions, and be cautious with ads.