Unveiling the SlopAds Operation
A recent investigation has shed light on a significant ad fraud and click fraud scheme known as SlopAds, which has orchestrated a network of 224 applications. These apps have collectively amassed an impressive 38 million downloads across 228 countries and territories, raising alarms within the digital advertising community.
The Satori Threat Intelligence and Research Team at HUMAN detailed how these applications execute their fraudulent activities through sophisticated techniques. Utilizing steganography, they embed hidden WebViews that redirect users to cashout sites controlled by the threat actors, thereby generating fraudulent ad impressions and clicks. The term “SlopAds” reflects the mass-produced nature of these apps, which leverage artificial intelligence-themed services like StableDiffusion and AIGuide, hosted on the command-and-control (C2) server.
At its peak, the SlopAds campaign was responsible for an astonishing 2.3 billion bid requests daily, with the majority of traffic originating from the United States (30%), India (10%), and Brazil (7%). In response to these alarming findings, Google has taken action by removing all implicated apps from the Play Store, effectively disrupting this fraudulent operation.
What distinguishes SlopAds from other ad fraud schemes is its conditional execution. When a SlopAds app is downloaded, it queries a mobile marketing attribution SDK to determine whether the download was organic or the result of an ad click. Only in cases where the app was downloaded following an ad click does it initiate the download of the ad fraud module, known as FatModule, from the C2 server. Conversely, if the app was installed organically, it operates as advertised.
According to HUMAN researchers, this layered approach to fraud execution underscores the increasing sophistication of threats to the digital advertising ecosystem. By creating a feedback loop that triggers fraud only when the device is not under scrutiny by security researchers, SlopAds effectively blends malicious traffic with legitimate campaign data, complicating detection efforts.
The FatModule itself is ingeniously concealed within four PNG image files, which hide the APK. Once decrypted and reassembled, this module gathers device and browser information while executing ad fraud through the hidden WebViews. This method allows for a seamless integration of fraudulent activities into seemingly legitimate traffic.
One of the cashout mechanisms for SlopAds involves HTML5 (H5) game and news websites owned by the threat actors. These sites frequently display ads, and since the WebView in which they are loaded remains hidden, they can monetize numerous ad impressions and clicks before the WebView is closed.
Researchers have also identified domains promoting SlopAds apps that link back to a secondary domain, ad2[.]cc, which serves as a Tier-2 C2 server. In total, approximately 300 domains advertising these apps have been uncovered.
This development follows closely on the heels of HUMAN’s previous identification of another set of 352 Android apps involved in an ad fraud scheme dubbed IconAds. As Gavin Reid, CISO at HUMAN, noted, “SlopAds highlights the evolving sophistication of mobile ad fraud, including stealthy, conditional fraud execution and rapid scaling capabilities.”
