Malicious ‘TradingView Premium’ Ads Spread from Meta to Google
▼ Summary
– Bitdefender has uncovered a persistent malvertising campaign that initially spread via Facebook Ads and has now expanded to YouTube and Google Ads.
– The campaign uses sophisticated impersonation, including hijacked and rebranded YouTube channels with verified badges, to appear legitimate while promoting fake “free access” to trading platforms.
– These malicious ads redirect users to download custom-built malware designed to steal credentials, cookies, passwords, and cryptocurrency wallet data.
– The malware employs advanced evasion techniques, including an oversized downloader and anti-sandbox checks, and uses a multi-stage infection process.
– The campaign operates on a massive scale, involving over 500 domains, daily ad creation in multiple languages, and the emergence of macOS and Android variants.
A sophisticated and persistent malvertising campaign that originally spread through Facebook Ads has now expanded its reach to Google’s advertising platforms. This operation, which falsely promises free access to TradingView Premium and other financial tools, poses a significant threat to investors and casual users by redirecting them to malware designed to steal sensitive information. Security experts at Bitdefender have tracked this activity for over a year, noting its evolution and increased sophistication.
The scam involves a multi-pronged approach. Threat actors hijacked the Google Ads account of a legitimate Norwegian design agency. Simultaneously, they took control of a verified YouTube channel, stripping it of its original content and meticulously rebranding it to impersonate the official TradingView channel. This fraudulent channel became a powerful weapon because it retained its verified status, making it appear authentic to unsuspecting viewers. The impersonation was convincing due to several factors: the use of official TradingView logos and banners, and the inclusion of playlists linked directly from the real TradingView channel to create an illusion of activity.
Several critical red flags can help identify these scams. The channel handle will not match the official @TradingView name. The channel itself will have virtually no original content and an inexplicably low view count for a supposedly popular brand. Most tellingly, the entire operation relies on unlisted videos promoted exclusively through paid ads, allowing them to avoid public scrutiny. One such video, titled “Free TradingView Premium – Secret Method They Don’t Want You to Know,” garnered over 182,000 views in just days through aggressive advertising, despite being hidden from public search.
The description of these unlisted videos contains links that lead to a malicious executable file. The malware employed in this campaign is notably advanced. The initial downloader is custom-built and deliberately oversized, exceeding 700 MB to evade automated analysis systems. It also possesses anti-sandbox capabilities, checking for virtualized environments to hinder both automated and manual investigation. Once it bypasses these defenses, it initiates a multi-stage infection process consistent with information-stealing campaigns. Communication with the command-and-control server has been upgraded from plain HTTP to websockets, and the code is heavily obfuscated and encrypted to resist analysis.
The final payload is a powerful stealer malware known to researchers as JSCEAL or WeevilProxy. Its capabilities are extensive, including intercepting all user network traffic, harvesting cookies and passwords, keylogging, capturing screenshots, stealing cryptocurrency wallet data, and ensuring long-term persistence on infected systems. The threat actors employ multiple tracking pixels, from Facebook, Google, Microsoft, and others, to monitor campaign effectiveness and potentially filter out requests from security researchers.
This case underscores a serious risk for businesses: a compromised Google account can lead to a connected YouTube channel being weaponized for fraud. Attackers typically gain access through phishing emails or credential-stealing campaigns. They then delete all original content, rebrand the channel to impersonate a trusted brand like TradingView, and exploit its verified status and existing subscriber count to lend credibility to their scams.
Bitdefender’s investigation has linked this campaign to over 500 domains and subdomains. The threat actors are highly active, creating hundreds of ads daily in languages including English, Vietnamese, and Thai. They continuously rotate domains and strategies. Evidence also shows the campaign is expanding, with emerging malware samples designed to target macOS and Android systems, indicating the attackers’ intention to broaden their victim base beyond Windows users.
For individuals, vigilance is the first line of defense. Be extremely cautious of ads offering free premium software. Always verify the channel handle and be suspicious of unlisted videos used in ad campaigns. Only download software from official websites, never from third-party links provided in ads. Utilize security solutions that can block malicious links and consider using free tools to scrutinize suspicious offers.
Content creators and businesses must take proactive steps to secure their accounts. Enabling strong multi-factor authentication is essential. Regularly audit account access and connected applications. Educate team members on recognizing phishing attempts. Having a plan for rapid response in case of a compromise can significantly mitigate damage. Protecting digital assets is no longer optional but a critical component of modern operational security.
(Source: ITWire Australia)
