New reports reveal large-scale ad fraud, SMS malware, and NFC-based scams targeting Android users worldwide, with tactics changing rapidly across regions.
What happened
Cybersecurity researchers have uncovered several widespread Android-based fraud operations, including a mobile ad scheme called IconAds, an advanced ad fraud framework dubbed Kaleidoscope, and a growing number of malware campaigns focused on financial theft through SMS and NFC technology. These operations have led to millions of infections and financial losses across countries, including the U.S., Brazil, India, Uzbekistan, and others.
Going deeper
The IconAds operation involved 352 Android apps that loaded intrusive ads out of context while hiding their icons from the home screen, making removal difficult. At its peak, the network generated 1.2 billion ad requests daily. The malware used advanced obfuscation and impersonated apps like the Google Play Store to avoid detection. Though Google removed the apps, researchers expect the tactics to continue changing.
Meanwhile, a separate operation named Kaleidoscope used a ‘twin app’ model. Harmless-looking apps hosted on Google Play served as a front, while their malicious counterparts distributed via third-party stores generated fraudulent ad impressions. This campaign builds on a previous scheme called Konfety and has been most prevalent in Latin America, Türkiye, Egypt, and India.
In parallel, threat actors are exploiting Android’s NFC capabilities. Malware like NGate and SuperCard X allows attackers to relay payment card signals through compromised phones, enabling remote ATM withdrawals. An advanced variant, Ghost Tap, uses stolen card data to register digital wallets like Google Pay or Apple Pay, which are then used to conduct unauthorized contactless transactions.
What was said
Researchers from HUMAN, IAS Threat Lab, Group-IB, and Kaspersky all reported on these threats. HUMAN noted the short shelf life of IconAds apps and predicted further adaptations. IAS described Kaleidoscope’s structure as “insidiously adaptive,” while Group-IB stated the risks posed by SMS-based banking malware like Qwizzserial in Uzbekistan. Kaspersky warned that spyware such as SparkKitty may be targeting screenshots of crypto wallet recovery phrases using OCR.
The big picture
Recent operations point to a shift in mobile cybercrime tactics, moving beyond basic ad fraud toward more complex threats that combine financial theft, surveillance, and social engineering. Android devices are often targeted due to their widespread use and the accessibility of third-party app stores in certain regions. Malicious apps continue to pose risks by imitating legitimate software while carrying out hidden activities in the background, making detection and prevention more difficult for users and security teams alike.
FAQs
What is “out-of-context” advertising, and why is it dangerous?
Out-of-context ads appear without user interaction and often over unrelated apps or system screens. They disrupt user experience, drain battery life, and may expose users to phishing or scam content.
How can users protect themselves from “evil twin” apps like those in Kaleidoscope?
Avoid installing apps from unofficial sources, regularly review app permissions, and use trusted mobile security tools to detect hidden or duplicated applications.
What is NFC relay fraud and how does it work?
NFC relay fraud allows attackers to route payment card signals through compromised devices to conduct unauthorized withdrawals or purchases, bypassing physical card presence.
Why is Uzbekistan especially vulnerable to SMS-based malware like Qwizzserial?
Many local banking and payment systems rely heavily on SMS for 2FA and account interactions, making intercepting messages a profitable tactic for cybercriminals.
What does OCR-based spyware like SparkKitty actually do?
It scans device images for specific visual data like crypto wallet recovery phrases by using optical character recognition to identify and extract sensitive content from screenshots.
Farah Amod
