A significant disruption in the world of digital advertising has unfolded, as a large-scale Android ad fraud operation known as “SlopAds” has been dismantled. This operation involved 224 malicious applications available on Google Play, which collectively generated an astonishing 2.3 billion ad requests daily.
The Satori Threat Intelligence team at HUMAN uncovered this extensive ad fraud scheme, revealing that these applications were downloaded over 38 million times. The perpetrators employed advanced techniques such as obfuscation and steganography to mask their malicious activities from both Google and security measures.
The reach of the SlopAds campaign was truly global, with users from 228 countries installing the fraudulent apps. The United States accounted for the largest share of ad impressions at 30%, followed by India at 10% and Brazil at 7%. According to HUMAN, the term “SlopAds” was chosen to reflect the appearance of mass-produced applications, akin to “AI slop,” and to reference a collection of AI-themed apps hosted on the threat actors’ command-and-control server.
Source: HUMAN Satori
The SlopAds ad fraud campaign
The ad fraud operation employed a variety of evasion tactics designed to elude detection by Google’s app review process and security tools. If a user installed a SlopAd app organically from the Play Store, bypassing any campaign-related ads, the app would function as intended, performing its advertised capabilities.
Source: HUMAN SATORI
However, if the app was installed through one of the threat actor’s ad campaigns, it would utilize Firebase Remote Config to retrieve an encrypted configuration file containing URLs for the ad fraud malware module, cashout servers, and a JavaScript payload. The app then assessed whether it was operating on a legitimate user’s device or under scrutiny from researchers or security software.
Upon passing these checks, the app would download four PNG images that employed steganography to hide components of a malicious APK, which powered the ad fraud operation.
Source: HUMAN Satori
Once these images were downloaded, they were decrypted and reassembled on the device to create the complete “FatModule” malware, responsible for executing the ad fraud scheme. Upon activation, FatModule utilized hidden WebViews to collect device and browser information, subsequently navigating to cashout domains controlled by the attackers.
These domains impersonated legitimate gaming and news sites, continuously serving ads through concealed WebView screens, resulting in over 2 billion fraudulent ad impressions and clicks daily, thus generating revenue for the fraudsters.
HUMAN’s findings indicate that the campaign’s infrastructure included numerous command-and-control servers and over 300 related promotional domains, hinting at the threat actors’ intentions to expand beyond the initial 224 identified apps.
In response to this alarming discovery, Google has removed all known SlopAds applications from the Play Store, and Android’s Google Play Protect has been updated to alert users to uninstall any remaining instances found on their devices. Nevertheless, HUMAN cautions that the sophistication of this ad fraud operation suggests that the perpetrators are likely to adapt their methods and attempt to launch future attacks.
