Devious malware infects Meta, then spreads to Google Ads and YouTube

A cross-platform malware campaign

Security researchers reported in August–September 2025 that a malvertising campaign first used Meta’s ad network and later expanded to Google Ads and YouTube, delivering different trojans via each platform.

What appeared to be safe, branded offers instead led users to infected downloads. By moving between multiple trusted platforms, cybercriminals avoided quick detection and reached far more victims than through a single channel, showing how malvertising has become a powerful weapon.

Starting point on Meta ads

The campaign initially used stolen Facebook Business accounts to launch ads promoting a fake “TradingView Premium” app. Victims were directed to professional-looking landing pages or bogus app stores that offered malware instead of real software.

Because the ads came from trusted business accounts, they looked authentic and convincing. This tactic allowed cybercriminals to slip past user skepticism, giving them direct access to thousands of unsuspecting people who believed they were clicking on a legitimate trading tool.

Malicious software involved

Analysis found two types of malware tied to this operation. Researchers observed that the Meta-served Android lure delivered an evolved Brokewell trojan variant, while the Google Ads/YouTube vector used a downloader that researchers linked to the Trojan.Agent.GOSL / WeevilProxy family.

Both families are advanced threats that can quietly gather sensitive information while also keeping infected systems under criminal control for long-term exploitation.

Expanding to Google Ads and YouTube

When their Meta ads began facing takedowns, attackers adapted by hijacking Google advertising accounts and uploading malicious videos on YouTube. Google Ads campaigns redirected users to unlisted YouTube videos, which then pushed viewers toward infected download sites.

This clever shift allowed attackers to exploit Google’s vast reach and strong brand trust, continuing the attack even after losing their initial foothold on Meta. The move highlights how easily malicious actors pivot across platforms to sustain attacks.

Unlisted videos as lures

A key tactic was using unlisted YouTube videos as landing pages. These videos looked like product demos or app walkthroughs but contained download links for the malware.

Because unlisted clips do not appear in search, they attracted less moderation while still being shared through paid ads and links.

At least one unlisted promotional video reportedly gathered more than 100,000–180,000 views before being flagged, according to security reporting.

Android users in the crosshairs

The Meta portion of the campaign primarily targeted Android owners. By promoting a fake TradingView app, criminals lured users into sideloading infected packages. They even mimicked Google Play design elements to trick people into thinking the download was official.

Once installed, the malware could record calls, steal credentials, and monitor location data. Because Android allows installation outside the Play Store, attackers exploited this flexibility to slip past official safeguards and compromise large numbers of devices.

The infection chain in action

The path from click to compromise typically began with a legitimate-looking ad. That ad redirected through several staging websites or a YouTube description link, leading the victim to a fake download portal.

A custom downloader then retrieved the main trojan payload, which installed itself silently and connected back to criminal servers. By spreading the attack across multiple steps and domains, the operators made it harder for security tools to block the entire chain at once.

Breaking into accounts first

To launch such campaigns, attackers needed access to real advertising and creator accounts. They often acquired these through phishing attacks, password reuse, or purchases from underground markets.

With control of a business or YouTube account, criminals could publish ads, videos, or posts that looked authentic and bypassed initial trust checks.

This highlights how compromised advertiser credentials are now as valuable to cybercriminals as stolen credit card numbers, since they provide immediate reach and legitimacy.

Global reach of the attack

Though the first waves appeared in localized campaigns, reports show infections across multiple countries. By reusing ad designs and video templates, attackers scaled quickly and reached new regions without much extra effort.

Because Meta and Google span many countries, localized ad variants let attackers scale quickly; researchers reported infections and ad impressions across several countries in Europe, North Africa and Latin America during July–September 2025

Exploiting platform trust

The strength of this campaign came from exploiting trust. Ads appearing on Meta or Google, or videos hosted on YouTube, carry an assumption of safety. By abusing verified or business accounts, criminals made their malicious content look even more convincing.

Users rarely expect harmful links inside official-looking ads. This reliance on platform credibility turned everyday browsing into a risk, showing why major platforms are such attractive targets for professional cybercriminal operations today.

How small creators are affected?

Smaller advertisers and content creators were often the entry point for attackers. Their accounts, once compromised, provided just enough legitimacy to bypass moderation without drawing quick suspicion.

Criminals used these accounts to launch ads or videos that blended into normal platform activity. This shows why protecting creator and business accounts with strong passwords, two-factor authentication, and regular audits is essential. A single hijacked account can become the launchpad for a large-scale malware campaign.

Deceptive campaigns challenge cybersecurity teams

Traditional defenses often fail against this type of attack because the ads and videos are hosted on legitimate platforms. Redirect chains, shortened URLs, and trusted brand impersonations help malware avoid blacklists.

Even security-conscious users can be fooled when everything looks official. Researchers stress the need for deeper traffic analysis, stricter ad review processes, and close cooperation between platforms and cybersecurity firms to catch such campaigns earlier, before they reach large numbers of victims.

Helpful tips for regular users

There are straightforward ways to reduce risk. Don’t download apps from ad links or video descriptions. Iinstall only from official app stores and verify the developer, enable Play Protect on Android, and report suspicious ads/videos to the platform.

On Android, keep Google Play Protect enabled and avoid sideloading unknown packages. If you see suspicious ads or videos promoting downloads, report them to the platform. These habits can significantly lower the chance of falling victim to malvertising-driven malware.

Advice for advertisers and businesses

Advertisers should treat account security as a top priority. Enabling two-factor authentication, limiting admin access, and monitoring campaigns for unusual redirects are basic safeguards.

Businesses should also regularly audit their advertising and creator accounts for signs of compromise.

Platforms like Meta and Google are urged to improve their takedown speed and tighten onboarding checks, but advertisers themselves play a key role in preventing hijacked accounts from fueling future malware distribution campaigns.

Malvertising as a persistent threat

This campaign proves that malvertising is not a passing tactic. By exploiting mainstream platforms and adapting quickly, cybercriminals are able to stay ahead of detection efforts. Each time one channel is blocked, another becomes the delivery system.

Until account security, ad screening, and cross-platform cooperation improve, malvertising will remain a favored strategy for spreading advanced malware. Users, advertisers, and platforms must all remain vigilant to prevent these campaigns from reaching even wider audiences.

Staying proactive is key in both cybersecurity and daily life, including issues such as missing emergency alerts. Here’s how to fix it.

What you need to know?

The spread of malware from Meta to Google Ads and YouTube highlights how deeply cybercrime can infiltrate trusted online spaces. Instead of shady websites, attacks now ride on the same platforms people rely on every day for work, shopping, and entertainment.

That shift makes defense harder but also underscores the importance of user awareness and stronger platform safeguards. The fight against malvertising is becoming one of the most important battles in online security.

This campaign shows how attackers hop between platforms. Check out how DNS malware could be the next cyberweapon.

What do you think about this? Let us know in the comments, and don’t forget to leave a like.

Read More From This Brand:

• Steam Game Demo Caught Spreading Malware
• Malware attacks lurking in the internet’s core
• TikTok Users Targeted By AI Deepfake Malware Scam

Don’t forget to follow us for more exclusive content right here on MSN.

If you liked this story, you’ll LOVE our FREE emails. Join today and be the first to get stories like this one.

This slideshow was made with AI assistance and human editing.