Google removes 224 malicious Android apps behind a large-scale advertising fraud campaign.
A massive Android advertising fraud campaign called 'SlopAds' has been dismantled, after 224 malicious apps on Google Play were found to have generated up to 2.3 billion ad requests per day.
According to a new report from Satori Threat Intelligence, a cybersecurity research and analysis group at the US cybersecurity technology company Human, a large-scale advertising fraud campaign called 'SlopAds' has been exposed.
The research team stated that over 224 malicious apps related to this campaign were downloaded more than 38 million times on Google Play before being detected and removed. These apps not only concealed sophisticated fraudulent activity through masking and hidden text insertion techniques, but also bypassed numerous Google security mechanisms and other defense tools.

SlopAds is not a localized phenomenon but is deployed globally, affecting users in 228 countries. This fraudulent system generated an average of 2.3 billion ad bid requests per day, causing significant losses to the online advertising market. The highest concentration of ad impressions came from the US (30%), followed by India (10%) and Brazil (7%).
Researchers suggest that these malicious applications are mass-produced and of low quality, similar to 'AI slop' – AI-generated junk content. This term also refers to the repository of AI-related applications and services discovered on the command and control servers of the cybercrime group behind the campaign.
From legal to harmful in a single touch.
The perpetrators behind the SlopAds campaign cleverly designed a mechanism that allowed applications to transform from "legitimate" to fraudulent tools as soon as they got onto a user's device. To circumvent Google Play's review process and Android's protection, they used a series of technical tricks to conceal their malicious behavior until the last minute.
When users proactively install an app from the Play Store, the software initially runs like a normal application, showing no unusual signs. However, if users access the app through an advertising link distributed by an attacker, the installation will activate a malicious script after passing through a series of checks.
The application will detect whether it was installed via the Play Store or another source; if the "condition" is met, it downloads an encrypted configuration file containing the path to the fraudulent module, the withdrawal server, and a JavaScript code snippet provided by the attacker.
Next, the application downloads four seemingly harmless PNG image files; this trick is a form of data embedding into the images. These PNG images actually contain code or encrypted APK files.

On the target device, the images are decoded and reassembled to form the actual malware module. When activated, this module uses a hidden WebView to collect device information, mimic real user access, and navigate to a domain network controlled by the attacker.
These domains impersonate gaming and news sites, constantly displaying hidden WebViews—a practice that generates billions of fake impressions and clicks daily, turning fraudulent traffic into real revenue for the scammers.
Sophisticated concealment techniques and contextual triggering processes are the reasons why SlopAds are difficult to detect and particularly dangerous to the digital advertising ecosystem.
How to protect yourself from fraudulent ad-supported apps.
Although Human's Satori Threat Intelligence team hasn't released a detailed list of the 224 apps included in the SlopAds campaign, the good news is that all of them have been removed from Google Play.
Users also don't need to worry too much about manually checking, because Google has updated Play Protect, the built-in security layer on Android, to automatically scan, warn, and request removal if it detects harmful apps on their phones or tablets.
However, that doesn't mean you can let your guard down. Malicious adware doesn't just steal data or manipulate display; it can have unforeseen consequences.
Imagine your phone silently downloading countless random websites throughout the day. This results in depleted mobile data, drained the battery, overheating, and ultimately shortened component lifespan. In many cases, users are forced to replace their devices sooner than expected simply because they mistakenly installed these seemingly harmless apps.
Although SlopAds is not as dangerous as malware that specializes in stealing information or taking control of devices, it still shows that users who download apps from unofficial or unknown sources face much higher risks than when using only official apps from the Google Play Store.
To add an extra layer of protection, you might consider installing a reputable antivirus app for Android alongside Play Protect. If you want more comprehensive protection against threats such as hackers, scammers, or even identity theft, digital identity protection services are also a worthwhile option.
Given the enormous sums of money that the advertising fraud campaign could generate for cybercriminals, SlopAds is certainly not the last trick. Security experts believe that the perpetrators may soon reappear with a similar, more sophisticated campaign.
And that only reinforces a familiar but never-ending reminder: be careful what you download, because one wrong click can cost you dearly.


