A recent analysis by Bitdefender has unveiled a significant ad fraud campaign that has led to over 60 million downloads of malicious applications from the Google Play Store. These apps, designed to display out-of-context advertisements, have also been implicated in attempts to steal user credentials and credit card information through phishing attacks.
The campaign encompasses at least 331 applications, all equipped with the ability to circumvent Android’s security measures. This alarming capability allows these apps to remain undetected on users’ devices and to activate without any interaction from the user—behaviors that should not be feasible within the confines of Android 13.
According to Bitdefender researchers, this operation may be orchestrated by a single entity or a group of criminals utilizing a common packaging tool available on dark web marketplaces. The campaign is still ongoing, with the latest malware being introduced to the Google Play Store as recently as the first week of March 2025. Most of the applications first appeared on the platform in the third quarter of 2024.
Silviu Stahie, a Security Analyst at Bitdefender, shared insights with Infosecurity, noting that of the 331 apps identified, 10 remain active and have even received updates. “Google has removed many of the apps, and we can easily conclude that the attackers are trying to modify their malware in their efforts to stay ahead of the detection systems,” he explained. Stahie added that Google has been notified of these findings and is currently conducting an investigation into the matter.
Apps Staying Hidden from Android Users
The malicious applications often masquerade as innocuous utility tools, including QR code scanners, expense trackers, healthcare apps, and wallpaper changers. These apps manage to bypass Android’s security protocols, initiating activities even when they are not actively running in the foreground. They bombard users with persistent full-screen advertisements and launch phishing attempts without the necessary permissions.
Upon installation, the apps declare a contact content provider that is automatically queried by the system, allowing them to manage access to a central data repository. In the more recent iterations of these apps, the content provider is referenced as a string in resources, a shift from previous practices where it was directly cited in the app’s manifest. This evolution indicates that the attackers are adapting their strategies as their tactics are discovered and apps are removed from the store.
The researchers noted that the attackers employ various methods to keep their malicious apps concealed from users, including hiding the app icon—a practice that is no longer permissible in the Android operating system. Some applications have been downloaded with the Launcher Activity disabled by default, which allows them to exploit the startup mechanism provided by the content provider. This enables the apps to use native code to activate the launcher, a tactic likely employed to evade detection.
Once the initial setup is complete, the app disables its launcher, causing its icon to vanish entirely from the device’s launcher interface. This behavior is not allowed in newer versions of Android, suggesting that the developers have either discovered a vulnerability or are misusing the API. Additionally, some apps have been found to exploit the Android Leanback Launcher—a feature intended for Android TV—to further conceal their presence on standard Android devices.
Apps Launch Ads and Phishing Attacks Without Permission
Bitdefender’s investigation revealed that these apps can display advertisements on Android devices without being actively launched, even if another application is in use. The mechanism for initiating these activities resides within the native library, allowing the apps to operate without the necessary permissions by manipulating several API calls.
This exploitation enables attackers to execute phishing attacks directly on the device screen, prompting users to enter credentials for sites like Facebook and YouTube. In some instances, users are coerced into providing credit card details under various pretenses. The researchers also highlighted a common tactic where attackers intimidate users with threats of device infections, aiming to persuade them to install potentially harmful third-party applications, including banking Trojans.
Most of the malicious apps utilize custom command and control (C2) domains, employing various encryption methods such as AES, Base64, and bespoke encryption techniques. Device information is extracted using a dictionary-based structure, with keys that are polymorphed and unique to each application, complicating detection and analysis efforts.
Image credit: Tada Images / Shutterstock.com
