Researchers at Romanian cybersecurity firm Bitdefender discovered a widespread malware distribution campaign involving tens of thousands of Android apps masquerading as popular games, VPN apps, and security tools typically found on official Google Play Store.

The operation has been active since at least October 2022 and is likely fully automated.

“The campaign is designed to aggressively push adware to Android devices with the purpose to drive revenue. However, the threat actors involved can easily switch tactics to redirect users to other types of malware such as banking Trojans to steal credentials and financial information or ransomware,” the researchers said in a blog post.

The apps distributed in this campaign mimic game cracks, games with unlocked features, free VPN, Netflix, YouTube/TikTok tutorials without ads, cracked utility programs, security solutions. It’s worth noting that the fake apps are not available on the official app stores.

Upon installation the fake apps have no icons or names in order to make it harder to detect. Once launched the app will display an error message to trick the user into thinking it was never installed. In reality, it will sleep for some time and then initialize the adware phase when the user unlocks the phone using the device’s mobile browser to load a full-page advertisement.

Bitdefender identified 60,000 unique apps carrying the adware, with the highest rates of infections detected in the United States (55.27%), South Korea (9.8%), and Brazil (5.96%).