Google removes 224 Android apps in ad fraud takedown

Google eliminated 224 malicious Android applications from its Play Store after researchers discovered they were part of an ad fraud operation called "SlopAds" that generated 2.3 billion fraudulent ad requests daily.

What happened

BleepingComputer reported the malicious apps were downloaded over 38 million times across 228 countries and territories. The campaign generated 2.3 billion bid requests per day, with the highest concentration of ad impressions coming from the United States (30%), India (10%), and Brazil (7%). The apps used obfuscation and steganography techniques to hide malicious behavior from Google's security systems and detection tools. Google has since removed all identified SlopAds applications from the Play Store and updated Android's Google Play Protect to warn users about any remaining installations on their devices.

Going deeper

The SlopAds campaign employed multiple layers of evasion tactics:

• Apps functioned normally when installed organically through the Play Store
• Malicious behavior only activated when users arrived via the threat actors' ad campaigns
• Used Firebase Remote Config to download encrypted configuration files containing URLs for ad fraud modules and cashout servers
• Downloaded four PNG images using steganography to conceal pieces of a malicious APK called "FatModule"
• Images were decrypted and reassembled on devices to form the complete malware
• FatModule used hidden WebViews to gather device information and navigate to attacker-controlled domains
• These domains impersonated game and news sites, serving continuous ads through hidden screens
• Campaign infrastructure included numerous command-and-control servers and over 300 promotional domains
  
  

What was said

Researchers explained the campaign's naming: "Researchers dubbed this operation 'SlopAds' because the apps associated with the threat have the veneer of being mass produced, a la 'AI slop', and as a reference to a collection of AI-themed applications and services hosted on the threat actors' C2 server."

Researchers warned that "the sophistication of the ad fraud campaign indicates that the threat actors will likely adapt their scheme to try again in future attacks."

By the numbers

• 224 malicious applications removed from Google Play
• 38 million+ total app downloads
• 2.3 billion fraudulent ad requests generated daily
• 228 countries and territories affected
• 30% of ad impressions from United States
• 10% of ad impressions from India
• 7% of ad impressions from Brazil
• 300+ related promotional domains identified
  
  

In the know

Ad fraud campaigns like SlopAds exploit the mobile advertising system by generating fake ad impressions and clicks to steal revenue from legitimate advertisers. Steganography is a technique that hides malicious code within seemingly innocent files like images, making detection difficult. These campaigns often use evasion techniques to bypass app store security reviews and appear as legitimate applications until activated by specific conditions.

The bottom line

Healthcare organizations should immediately audit their approved mobile applications and implement strict mobile device management policies. The nature of campaigns like SlopAds shows that relying solely on app store security is insufficient for protecting sensitive healthcare data and maintaining HIPAA compliance.

Related: HIPAA Compliant Email: The Definitive Guide

FAQs

How can users check if they had one of the removed apps installed?

Users should review their installed apps and rely on Google Play Protect alerts for warnings.

How did Google update its defenses to prevent similar attacks?

Google enhanced Play Protect scanning and detection for hidden malicious behaviors.

Are smaller app stores more vulnerable to this type of fraud?

Yes, third-party app stores often lack the same level of security scrutiny.

Could healthcare or enterprise apps be impersonated in future fraud campaigns?

Yes, attackers may mimic trusted categories to maximize downloads and ad revenue.