A sophisticated mobile ad fraud operation known as “SlopAds” has made its way into the Google Play Store, infiltrating the platform with 224 malicious applications that have collectively garnered over 38 million downloads across 228 countries and territories. This extensive campaign is one of the most significant mobile fraud schemes uncovered to date, employing advanced steganography techniques and multi-layered obfuscation to deliver fraudulent advertising payloads while successfully evading detection mechanisms.
The architects behind SlopAds have exhibited remarkable ingenuity by implementing a conditional fraud system that activates only when users download apps through specific advertising campaigns, rather than through organic visits to the Play Store. This selective activation mechanism has allowed the malicious applications to maintain their presence on the platform for extended periods, appearing legitimate to both casual users and automated security systems.
Analysts from Human Security identified the operation while examining anomalous patterns in their Ad Fraud Defense solution data. Their investigation revealed that SlopAds applications were generating approximately 2.3 billion fraudulent bid requests daily at peak operation, with traffic distribution heavily concentrated in the United States (30%), India (10%), and Brazil (7%).
The campaign’s extensive global reach and massive scale highlight the sophisticated infrastructure and operational capabilities of the threat actors involved. The malicious applications leveraged Firebase Remote Config, a legitimate Google development tool, to retrieve encrypted configuration data containing URLs for downloading the primary fraud module, referred to as “FatModule.” This exploitation of trusted development platforms illustrates how cybercriminals increasingly utilize legitimate services to conceal their malicious activities and evade detection by security solutions.
Advanced Steganographic Payload Delivery System
SlopAds employed an innovative payload delivery mechanism that underscores the evolving sophistication of mobile malware operations. The system utilized digital steganography to conceal malicious code within seemingly innocuous PNG image files, effectively bypassing traditional security scanning methods that primarily focus on executable file analysis.
Once an infected application passed initial verification checks, command-and-control servers delivered four specially crafted PNG files through encrypted ZIP archives. These images contained hidden APK components that, when decrypted and reassembled, formed the complete FatModule responsible for executing the fraudulent operations. This steganographic approach enabled the malicious payload to traverse network security filters and application store scanning systems without triggering conventional malware detection algorithms.
The FatModule itself incorporated multiple anti-analysis features, including debugging tool detection that specifically searched for hooking frameworks, Xposed modules, and Frida instrumentation tools commonly employed by security researchers. Additionally, the module utilized string encryption throughout its codebase and packed native code to obscure its true functionality from static analysis tools.
public static Boolean m45535a() {
try {
StackTraceElement[] stackTrace = Thread.currentThread().getStackTrace();
for (StackTraceElement element : stackTrace) {
String className = element.getClassName() + "#" + element.getMethodName();
if (className.toLowerCase().contains("hook") ||
className.toLowerCase().contains("xpose") ||
className.toLowerCase().contains("frida")) {
return true;
}
}
} catch (Exception e) {
e.printStackTrace();
}
return false;
}The execution of the fraud occurred within hidden WebViews that collected comprehensive device fingerprinting data, including hardware specifications, network information, and GPU details. This information enabled precise targeting while the hidden interfaces navigated to cashout domains controlled by the threat actors, generating fraudulent advertisement impressions and clicks without any user awareness or interaction.
In response to this alarming discovery, Google has removed all identified SlopAds applications from the Play Store. Users are also receiving automatic protection through Google Play Protect, which warns against and blocks the installation of known malicious applications, even from third-party sources.
Free live webinar on new malware tactics from our analysts! Learn advanced detection techniques -> Register for Free
