A large-scale ad fraud campaign has been uncovered, utilizing hundreds of malicious apps on the Google Play Store to display full-screen ads and conduct phishing attacks, according to cybersecurity researchers.
The apps in question display out-of-context ads and attempt to trick victims into divulging their credentials and credit card information through phishing attacks, as reported by Bitdefender.
The details of this activity were initially exposed by Integral Ad Science (IAS) earlier this month, which discovered over 180 apps engineered to deploy intrusive full-screen interstitial video ads as part of a scheme codenamed Vapor.
These apps, now removed by Google, disguised themselves as legitimate apps and collectively garnered over 56 million downloads, generating more than 200 million bid requests daily.
According to the IAS Threat Lab, the fraudsters behind the Vapor operation created multiple developer accounts, each hosting only a few apps, to distribute their operation and avoid detection. This setup ensures that the takedown of any single account would have minimal impact on the overall operation.
By mimicking harmless utility, fitness, and lifestyle applications, the operation successfully deceived users into installing the apps.
Another key aspect is that the threat actors employed a technique called versioning, where they published a functional app without malicious functionality to the Play Store, passing Google’s vetting process, and then added the malicious features in subsequent updates to display intrusive ads.
Furthermore, the ads hijack the device’s entire screen, rendering it largely inoperable and preventing the victim from using it. The campaign is believed to have started around April 2024 and expanded at the beginning of this year, with over 140 bogus apps uploaded to the Play Store in October and November alone.
The latest findings from the Romanian cybersecurity company reveal that the campaign is more extensive than initially thought, involving as many as 331 apps that accumulated over 60 million downloads in total.
Besides hiding the app’s icon from the launcher, some of the identified applications have also been observed attempting to collect credit card data and user credentials for online services. The malware is also capable of exfiltrating device information to an attacker-controlled server.
Another technique used for detection evasion is the use of Leanback Launcher, a type of launcher designed for Android-based TV devices, and changing its own name and icon to impersonate Google Voice.
“The attackers have found a way to hide the apps’ icons from the launcher, which is restricted on newer Android iterations,” Bitdefender said. “The apps can start without user interaction, even though this should not be technically possible in Android 13.”
The campaign is believed to be the work of either a single threat actor or multiple cybercriminals using the same packing tool advertised for sale on underground forums.
“The investigated applications bypass Android security restrictions to start activities even if they are not running in the foreground and, without required permissions to do so, spam the users with continuous, full-screen ads,” the company added. “The same behavior is used to serve UI elements featuring phishing attempts.”
