Security researchers at Bitdefender have uncovered a massive ad fraud campaign, with 331 malicious applications identified.
The apps, which were initially presented as harmless utility tools, have been used to flood users' devices with out-of-context ads and engage in phishing activities, including attempts to steal user credentials and credit card information.
The fraud campaign, which had been running since Q3 of 2024, utilized a range of deceptive tactics to evade detection and bypass Android security restrictions. The malicious apps often mimicked simple utility apps like QR scanners, expense tracking tools, health apps, and wallpaper apps.
Once installed, the malicious apps demonstrate fullscreen ads on top of legitimate applications, often rendering the device inoperable. In some cases, the apps attempted to collect sensitive user data through phishing attempts.
The apps were able to bypass Android's most recent security restrictions, including limitations on launching apps without user interaction.
Despite Android 13's security protocols, which should have prevented such behavior, the apps were still able to initiate malicious activities without user consent. Researchers found that the attackers had exploited a bug or were abusing specific Android APIs to disable the app's icon, making it nearly invisible to the user. This allowed the malicious apps to run in the background while avoiding detection by both users and automated security systems.
The campaign is believed to be the work of a single threat actor or multiple cybercriminals utilizing the same packaging tool sold on underground forums. The actors used a technique known as versioning, where initial versions of the apps were benign and passed Google's vetting process. Subsequent updates introduced malicious functionality, allowing the apps to serve intrusive ads and even attempt phishing.
Bitdefender researchers also discovered that the malware utilized an array of evasion techniques, including the use of Android's LEANBACK_LAUNCHER, a launcher designed for Android TV, that enabled the apps to dynamically enable or disable their icon at will. Some apps disguised themselves as Google Voice to avoid detection, further complicating the identification process.
The researchers believe the campaign began around April 2024, and its scope has only expanded throughout 2025. In the first week of March 2025 alone, new variants of the malware were published to the Google Play Store. Despite Google's ongoing efforts to clean up the Play Store, as of Bitdefender’s report, 15 of the malicious apps were still available for download.
