Android phone users should check and remove these malicious apps immediately

Accordingly, the campaign named IconAds is operating a giant advertising fraud system, generating approximately 1 billion fake ad display requests every day, a number that is shocking even to security experts.

Although Google quickly removed the apps from the Play Store, those who had previously installed them were still at risk. The apps were not automatically removed from the device, nor were they fully protected by Google's built-in security system (Play Protect).

Therefore, users are forced to proactively check and remove it manually, otherwise the malware will still silently operate without leaving any obvious signs.

How does IconAds ad fraud campaign work?

The IconAds campaign doesn’t use fancy or sophisticated techniques, instead relying on familiar but extremely effective tricks. The apps are “repackaged” with vague names, icons that mimic system tools, and sometimes an exact copy of the Google Play icon to fool users.

Once installed, they cleverly hide in the system, running continuously in the background to generate fake traffic, sending billions of ad requests every day to profit from the budgets of legitimate advertisers.

What’s particularly troubling to researchers isn’t the technicalities, but the scale and organization. According to Human Security’s Satori security research team, the campaign includes hundreds of different applications, broken into thousands of variants with different package names and digital signatures to evade detection.

Each variant is coordinated across a distributed network of domains, making it extremely difficult to trace. The campaign’s digital infrastructure is built as a complete ecosystem, capable of adapting and rotating flexibly, to maintain long-term operations without being detected.

The ultimate goal is still money, they create fake impressions, play hidden ads that users don't see, and then bill advertisers as if it were real traffic.

The apps in the campaign were designed to be invisible to users, or at least easily forgotten. Once installed, they had no obvious icons, no notifications, and were not easily detected in the application manager. Users rarely noticed anything unusual, except for rapid battery drain, unusual heat, or significant data usage.

Google has removed all of the apps in question from the Play Store, but that’s not enough. As the Satori team points out, Play Protect doesn’t automatically remove malware that was previously installed on a device.

In other words, if you have ever downloaded these apps, they are still silently running in the background and making money from your device and the responsibility to detect and remove them lies entirely on the user.

What should Android users do to protect themselves?

If you have an Android device, proactively checking your apps is the first step to protecting yourself. Open your list of installed apps and look closely for any unfamiliar names, unknown functions, or unused apps.

Be especially wary of apps that have no icons, don't display clear names, and redirect to unwanted websites or behaviors.

If you find any, uninstall them immediately. Some malicious IconAds campaign apps may remain on your device even after being removed from the Play Store by Google.

You can check the list of flagged apps from the security researchers' report published by the Satori – Human Security team at:https://www.humansecurity.com/wp-content/uploads/2025/06/IconAds-apps-Satori-List.html.

Also, don't forget to turn on Google Play Protect (inSetting→Security→Google Play Protect) and update your operating system and applications regularly, especially avoid downloading applications with ambiguous names, few downloads, lack of developer information or sketchy descriptions.

This isn’t the first time this has happened. Campaigns like HiddenAds, BADBOX, and now IconAds show a hole in Google’s vetting system. As long as publishing apps is easy and vetting is lax, malicious app developers will keep coming back.

These apps don't steal personal data or encrypt devices, but they still cause damage at the ecosystem level by consuming system resources, slowing down devices, and consuming mobile data and battery.

In short, users remain the first and last line of defense. Vigilance, while imperfect, remains the most effective way to protect yourself against increasingly sophisticated and organized fraud campaigns.