In a significant revelation, over 300 malicious Android applications have been identified, collectively amassing a staggering 60 million downloads from Google Play. These apps, categorized as adware, have also attempted to pilfer sensitive user information, including credentials and credit card details. The operation, dubbed “Vapor,” was first uncovered by the IAS Threat Lab and has been active since early 2024.
IAS’s investigation revealed that 180 apps were part of the Vapor campaign, generating an astonishing 200 million fraudulent advertising bid requests each day, thereby facilitating extensive ad fraud. A subsequent report from Bitdefender expanded the scope of the threat, identifying a total of 331 malicious applications, with notable infections reported in countries such as Brazil, the United States, Mexico, Turkey, and South Korea.
Bitdefender warns that these apps not only display misleading advertisements but also employ phishing tactics to coax users into divulging personal information. Although Google Play has removed these malicious applications, the potential for the Vapor threat to resurface remains high, as the perpetrators have demonstrated a capacity to circumvent Google’s review mechanisms.
Vapor apps on Google Play
The applications involved in the Vapor campaign masquerade as utilities that offer various functionalities, including health and fitness tracking, note-taking, battery optimization, and QR code scanning. They successfully pass Google’s security reviews by presenting legitimate features at the time of submission, with the malicious components being introduced later through updates from a command and control (C2) server.
Source: IAS Threat Lab
Some of the most notable offenders highlighted by Bitdefender and IAS include:
- AquaTracker – 1 million downloads
- ClickSave Downloader – 1 million downloads
- Scan Hawk – 1 million downloads
- Water Time Tracker – 1 million downloads
- Be More – 1 million downloads
- BeatWatch – 500,000 downloads
- TranslateScan – 100,000 downloads
- Handset Locator – 50,000 downloads
These apps were uploaded to Google Play from various developer accounts, each responsible for only a handful of submissions to minimize the risk of detection. To further evade scrutiny, each publisher utilized different advertising SDKs.
Most of the Vapor apps made their debut on Google Play between October 2024 and January 2025, with uploads continuing until March.
Bitdefender
Malicious functionality
The malicious apps associated with Vapor employ a sophisticated technique to conceal their presence. After installation, they disable their Launcher Activity in the AndroidManifest.xml file, rendering them invisible to users. In some instances, they even rename themselves in device settings to mimic legitimate applications, such as Google Voice.
These apps can launch without any user interaction and utilize native code to activate a secondary hidden component while keeping the launcher disabled. This method allows them to bypass security protections introduced in Android 13+, which are designed to prevent apps from disabling their own launcher activities once they are active.
Additionally, the malware circumvents restrictions on the ‘SYSTEMALERTWINDOW’ permission in Android 13+, creating a fullscreen overlay that displays ads on top of all other applications, effectively trapping users as the ‘back’ button is disabled. The apps also remove themselves from the ‘Recent Tasks’ list, making it difficult for users to identify which app triggered the intrusive advertisement.
Bitdefender notes that some of these applications extend beyond mere ad fraud, displaying counterfeit login screens for platforms like Facebook and YouTube in an effort to steal user credentials or solicit credit card information under false pretenses.
[embedded content]
For Android users, it is advisable to refrain from installing unnecessary applications from unverified publishers, carefully scrutinize the permissions granted to apps, and regularly compare the app drawer with the list of installed applications found in Settings → Apps → See all apps.
A comprehensive list of all 331 malicious apps that were uploaded to Google Play can be accessed here. Users who discover any of these applications on their devices are urged to remove them immediately and conduct a thorough system scan using Google Play Protect or other mobile antivirus solutions.
BleepingComputer has reached out to Google for a statement regarding the Vapor campaign; however, no comment was available at the time of publication.
