Google removes 224 malicious Android apps behind large-scale ad fraud campaign

According to a new report from the Satori Threat Intelligence cybersecurity research and analysis team of US cybersecurity technology company Human, a large-scale advertising fraud campaign called 'SlopAds' has been exposed.

The researchers said that more than 224 malicious apps associated with the campaign were downloaded more than 38 million times on Google Play before being detected and removed. The apps not only hid their sophisticated fraud through obfuscation and text injection techniques, but also bypassed many of Google’s security mechanisms and other defense tools.

SlopAds was not a local phenomenon but was deployed globally, with users in 228 countries affected. The fraudulent system generated an average of 2.3 billion ad bid requests per day, causing heavy losses in the online advertising market. The largest concentration of ad impressions came from the US (30%), followed by India (10%) and Brazil (7%).

Researchers say these malicious apps are mass-produced and of low quality, resembling 'AI slop' - AI-generated junk content - and the term also refers to the store of AI-related apps and services found on the control servers of the cybercriminal group behind the campaign.

From legal to toxic in one click

The SlopAds campaign’s creators have cleverly engineered a mechanism that allows the app to transform from “legitimate” to a cheating tool as soon as it lands on a user’s device. To avoid Google Play’s review process and Android’s protection, they use a series of technical tricks to hide their malicious behavior until the last minute.

When a user installs the app from the Play Store, the software initially runs as a normal app, without any signs of abnormality. But if the user accesses the app through an ad link distributed by the attacker, the installer will trigger the malicious script after passing a series of checks.

The app will detect whether it was installed via the Play Store or another source, and if the “condition” is met, it downloads an encrypted configuration file containing the path to the fraud module, the withdrawal server, and a piece of JavaScript code provided by the attacker.

Next, the app downloads four seemingly harmless PNG image files, which are a form of data injection. The PNG images actually contain code or encrypted parts of the APK file.

On the target device, the image is decoded and reassembled to form the actual malware module. When activated, the module uses a hidden WebView to collect device information, emulate real user access, and navigate to the attacker-controlled domain network.

These domains impersonate gaming and news sites, continuously displaying hidden WebViews, a behavior that generates billions of fake impressions and clicks every day, turning fake traffic into real revenue for the crooks.

Sophisticated cloaking techniques and contextual triggering are what make SlopAds so difficult to detect and so dangerous to the digital advertising ecosystem.

How to protect yourself from ad fraud apps

While Human's Satori Threat Intelligence team has not yet released a detailed list of the 224 apps involved in the SlopAds campaign, the good news is that all of them have been removed from Google Play.

Users also do not need to worry too much about checking by themselves, because Google has updated Play Protect, the built-in security layer on Android to automatically scan, warn and request removal if it detects harmful applications on phones or tablets.

However, that doesn’t mean you can let your guard down. Malicious adware doesn’t just steal data or cause display fraud, it can also cause unpredictable consequences.

Imagine your phone silently downloading a series of random websites all day long, resulting in consuming mobile data, draining the battery, heating up the device, and shortening the lifespan of components. In many cases, users are forced to replace their devices sooner than expected just because they mistakenly installed these seemingly harmless applications.

Although SlopAds is not as dangerous as other types of malware that specializes in stealing information or taking control of devices, it still shows the fact that users who download external or unknown-origin applications face much higher risks than when only using official apps on the Google Play Store.

For an added layer of protection, consider installing a reputable antivirus app for Android alongside Play Protect. If you want more comprehensive protection against threats like hackers, scammers, or even identity thieves, digital identity protection services are also worth considering.

Given the huge amount of money that ad fraud can generate for cybercriminals, SlopAds is certainly not the last of its kind. Security experts believe that the perpetrators could soon resurface with a similar, more sophisticated campaign.

And that just reinforces a familiar but never-stale reminder to be careful what you download, because one wrong click can be costly./.