Cybersecurity researchers have warned a few large-scale advert fraud marketing campaign that has leveraged lots of of malicious apps printed on the Google Play Retailer to serve full-screen adverts and conduct phishing assaults.
“The apps show out-of-context adverts and even attempt to persuade victims to present away credentials and bank card info in phishing assaults,” Bitdefender mentioned in a report shared with The Hacker Information.
Particulars of the exercise had been first disclosed by Integral Advert Science (IAS) earlier this month, documenting the invention of over 180 apps that had been engineered to deploy infinite and intrusive full-screen interstitial video adverts. The advert fraud scheme was codenamed Vapor.
These apps, which have since been taken down by Google, masqueraded as authentic apps and collectively amassed greater than 56 million downloads between them, producing over 200 million bid requests day by day.
“Fraudsters behind the Vapor operation have created a number of developer accounts, every internet hosting solely a handful of apps to distribute their operation and evade detection,” the IAS Risk Lab mentioned. “This distributed setup ensures that the takedown of any single account would have minimal impression on the general operation.”
By mimicking seemingly innocent utility, health, and way of life functions, the operation has been capable of efficiently dupe unwitting customers into putting in them. The marketing campaign stays ongoing, with the most recent malware-laced app printed within the Google Play Retailer within the first week of March 2025.
One other vital facet is that the menace actors have been discovered using a sneaky method known as versioning, which entails publishing to the Play Retailer a purposeful app sans any malicious performance such that it passes Google’s vetting course of. The malicious performance is launched in subsequent app updates, changing the authentic options with ways to maximise advert income by way of video adverts.
What’s extra, the adverts hijack the machine’s complete display screen and forestall the sufferer from utilizing the machine, rendering it largely inoperable. It is assessed that the marketing campaign started someday round April 2024, earlier than increasing at first of this yr. Greater than 140 bogus apps had been uploaded to the Play Retailer in October and November alone.
The most recent findings from the Romanian cybersecurity firm present that the marketing campaign is larger than beforehand thought, that includes as many as 331 apps that racked up greater than 60 million downloads in complete.
In addition to hiding the app’s icon from the launcher, a number of the recognized functions have additionally been noticed making an attempt to gather bank card information and consumer credentials for on-line companies by displaying faux pages. The malware can also be able to exfiltrating machine info to an attacker-controlled server.
One other method used for detection evasion is using Leanback Launcher, a sort of launcher particularly designed for Android-based TV units, and altering its personal title and icon to impersonate Google Voice.
“Attackers discovered a solution to disguise the apps’ icons from the launcher, which is restricted on newer Android iterations,” Bitdefender mentioned. “The apps can begin with out consumer interplay, regardless that this shouldn’t be technically potential in Android 13.”
It is believed that the marketing campaign is the work of both a single menace actor or a number of cybercriminals who’re making use of the identical packing device that is marketed on the market on underground boards.
“The investigated functions bypass Android safety restrictions to start out actions even when they don’t seem to be working within the foreground and, with out required permissions to take action, spam the customers with steady, full-screen adverts,” the corporate added. “The identical habits is used to serve UI parts that includes phishing makes an attempt.”