Google nukes 224 Android malware apps behind massive ad fraud campaign

A massive Android ad fraud operation dubbed “SlopAds” was disrupted after 224 malicious applications on Google Play were used to generate 2.3 billion ad requests per day.

The ad fraud campaign was discovered by HUMAN’s Satori Threat Intelligence team, which reported that the apps were downloaded over 38 million times and employed obfuscation and steganography to conceal the malicious behavior from Google and security tools.

The campaign was worldwide, with users installing the apps from 228 countries, and SlopAds traffic accounting for 2.3 billion bid requests every day. The highest concentration of ad impressions originated from the United States (30%), followed by India (10%) and Brazil (7%).

“Researchers dubbed this operation ‘SlopAds’ because the apps associated with the threat have the veneer of being mass produced, a la ‘AI slop‘, and as a reference to a collection of AI-themed applications and services hosted on the threat actors’ C2 server,” explained HUMAN.

The SlopAds ad fraud campaign

The ad fraud contained multiple levels of evasion tactics to avoid being detected by Google’s app review process and security software.

If a user installed a SlopAd app organically through the Play Store, without coming from one of the campaign’s ads, it would act as a normal app, performing the advertised functionality as normal.

However, if it was determined that the app was installed by the user clicking arriving via one of the threat actor’s ad campaigns, the software used Firebase Remote Config to download an encrypted configuration file that contained URLs for the ad fraud malware module, cashout servers, and a JavaScript payload.

The app would then determine if it was installed on a legitimate user’s device, rather than being analyzed by a researcher or security software.

If the app passes these checks, it downloads four PNG images that utilize steganography to conceal pieces of a malicious APK, which is used to power the ad fraud campaign.

Once downloaded, the images were decrypted and reassembled on the device to form the complete “FatModule” malware, which was used to conduct the ad fraud.

Once FatModule was activated, it would use hidden WebViews to gather device and browser information and then navigate to ad fraud (cashout) domains controlled by the attackers. 

These domains impersonated game and new sites, serving ads continuously through hidden WebView screens to generate over 2 billion fraudulent ad impressions and clicks per day, thereby creating revenue for the attackers. 

HUMAN says the campaign’s infrastructure included numerous command-and-control servers and more than 300 related promotional domains, suggesting that the threat actors were planning on expanding past the initial 224 identified apps.

Google has since removed all of the known SlopAds apps from the Play Store, and Android’s Google Play Protect has been updated to warn users to uninstall any that are found on devices.

However, HUMAN warns that the sophistication of the ad fraud campaign indicates that the threat actors will likely adapt their scheme to try again in future attacks.

46% of environments had passwords cracked, nearly doubling from 25% last year.

Get the Picus Blue Report 2025 now for a comprehensive look at more findings on prevention, detection, and data exfiltration trends.

See also  3 best Prime Video spy thrillers to stream after 'Black Bag'

Get the Blue Report 2025