DoubleVerify has raised a significant alarm regarding a mobile scam that involves the hijacking of dormant Android developer accounts, which are then exploited to publish fraudulent gaming applications on Google Play. This shift in tactics marks a departure from previous app store scams that typically relied on the creation of new developer accounts, which often faced heightened scrutiny from app store security systems and were quickly taken down following enforcement actions.
Shift in tactics
The company has identified a new trend where fraudsters are now targeting established developer accounts that have remained inactive for extended periods, sometimes years. These accounts, referred to as “zombie” accounts, have a history of legitimate activity that enables the fraudulent apps to bypass automated checks that focus on reputation signals. The apps produced through this scheme not only generate invalid traffic, draining advertiser budgets, but they also tend to excessively consume battery power, posing a risk to the devices on which they are installed.
Historically, DoubleVerify noted that fraudsters infiltrated app stores by creating new developer accounts and bolstering them with fake reviews and metadata. However, this method has become increasingly difficult to maintain due to the extra screening imposed on new accounts, leading to rapid takedowns. In contrast, the current strategy involves compromising existing accounts with a proven publishing track record, allowing them to resurface after long periods of inactivity and release multiple low-quality gaming apps.
Detection signals
DoubleVerify has been vigilant in identifying this scheme through early traffic patterns. Notably, they observed traffic surges occurring at unusual times, such as early morning hours, which do not align with typical casual gaming behavior. Gilit Saporta, VP of Product, Fraud & Quality at DoubleVerify, explained, “The fraudulent gaming apps in this scheme had massive, inexplicable traffic surges very early in the morning—when casual gamer traffic is generally at its lowest.” The rapid traffic accumulation within hours of launch, despite the absence of marketing efforts and poor user reviews, further underscored the fraudulent nature of these apps.
Moreover, the traffic patterns bore no relation to the apps’ actual functionality, indicating that the “users” were likely bot clusters programmed to generate ad requests irrespective of gameplay. Analysts also noted abrupt changes at the account level, where previously dormant accounts suddenly pivoted to casual gaming categories after years of inactivity. Anna Gantman, a Fraud Analyst at DoubleVerify, remarked, “When we took a step back and investigated the accounts from which the apps originated, we noted that the accounts had undergone recent and abrupt ‘personality’ changes, as if they were being inhabited by an outside force.”
Examples cited
DoubleVerify provided specific examples of developer accounts that exhibited these concerning shifts. One account, which had previously published ornithology apps and had been dormant since 2017, resurfaced in 2025 with a series of generic gaming applications. Another account, inactive since 2016, returned with game apps marketed as stress-relieving titles. These types of abrupt pivots serve as critical signals when analyzed alongside other behavioral indicators.
Advertising impact
The implications of these “zombie” accounts are significant, as many buyers, sellers, and platforms regard developer history as a trust signal. This reliance can weaken defenses if monitoring does not accurately reflect real-time behavior. Gantman emphasized, “Zombie accounts are particularly dangerous because they exploit the industry’s trust in historical reputation. Advertisers and platforms often rely on an account’s past activity, not what’s happening in real time.”
Furthermore, the fraudulent activities can distort campaign measurement by inflating delivery metrics due to invalid traffic. This distortion can adversely affect optimization decisions, as systems may misinterpret the traffic as legitimate engagement. Advertisers also face brand risks if their ads appear in unsuitable environments associated with low-quality content, and the activity can evade app store protections when automated screening fails to detect the compromised account or the app’s behavior.
Real-time monitoring
In light of these developments, DoubleVerify advocates for a shift away from reputation-only checks towards real-time behavioral analysis. The company has integrated “zombie account” signatures into its detection models and monitoring processes, enhancing its ability to protect advertisers against these emerging threats.
