advertising fraud Archives

AppWizard

November 26, 2025

Android users told to delete apps immediately after cyber attack infestation

Hundreds of Android applications have been compromised by SlopAds ad fraud malware, leading to their removal from the Google Play Store. A total of 224 apps were identified, collectively downloaded over 38 million times. The malware employs techniques like steganography to hide its activities and redirect users to malicious sites. Google has removed all identified malicious apps and will alert users to uninstall them. Android users are advised to activate Google Play Protect for enhanced security. The ad fraud undermines the integrity of legitimate advertisers and developers.

AppWizard

November 3, 2025

Android users urged to delete hundreds of apps immediately in cyber attack warning

A new wave of cyber attacks targeting Android users has been identified, involving 224 compromised applications that have collectively amassed over 38 million downloads from the Google Play Store. This threat, named SlopAds by the Satori Threat Intelligence and Research Team, involves sophisticated advertising fraud techniques, including steganography, to generate illicit revenue through harmful ads embedded in apps. Google has removed all compromised applications from the Play Store and will notify users to uninstall them. Users are advised to enable Google’s Play Protect feature to safeguard against malicious applications. Ad fraud not only affects individual users but also undermines trust in the advertising ecosystem.

AppWizard

November 3, 2025

Android warning as hundreds of apps should be deleted after cyber attack

A cyber attack known as SlopAds has compromised 224 Android applications, which have been downloaded over 38 million times from the Google Play Store. The attack involves malicious advertisements that deceive users into providing personal and financial information. The Satori Threat Intelligence and Research Team reported that the threat actors use techniques like steganography and hidden WebViews to direct users to fraudulent cashout sites. Google has removed all identified problematic apps from the Play Store and will alert users who downloaded them to uninstall them. Android users are advised to activate the Google Play Protect feature to prevent future threats. Ad fraud not only affects individual users but also undermines the integrity of reputable advertisers and developers.

AppWizard

September 17, 2025

38 Million Downloads Across 224 Malicious Android Apps on Google Play Deliver Harmful Payloads

Researchers from HUMAN’s Satori Threat Intelligence and Research Team discovered a digital advertising fraud operation called “SlopAds,” which involves 224 Android applications that have over 38 million downloads across 228 countries. SlopAds employs a multi-layered obfuscation strategy to deploy fraud modules that siphon ad revenue. The applications connect to Firebase Remote Config to retrieve an encrypted configuration that conceals URLs for PNG images containing fragments of an APK, which are reassembled to create the core fraud component known as FatModule. SlopAds generates approximately 2.3 billion bid requests daily, primarily targeting users in the United States (30%), India (10%), and Brazil (7%). Google Play Protect alerts users and blocks known SlopAds applications, and Google has removed these applications from the Play Store. Users who installed these apps from off-market sources remain vulnerable until they uninstall them.

AppWizard

July 22, 2025

Cybercriminals Merge Android Malware with Click Fraud Apps to Harvest Credentials

Researchers have identified a sophisticated cluster of Android malware that merges brand impersonation with traffic monetization strategies, utilizing Android Package Kit (APK) files to compromise user trust and extract sensitive information. The malware disguises itself as legitimate services and uses social engineering techniques to encourage manual installations. Once installed, it exploits Android's permission model to access device resources and hijack network traffic for advertising fraud. The malware includes various categories such as ad fraud apps, credential stealers, background data harvesters, task reward apps, and gambling apps, each designed to manipulate user interactions and collect sensitive data. Common strategies include redirecting traffic through monetized domains and employing encrypted command-and-control communications. A notable variant is a spoofed Facebook APK that requests extensive permissions and retrieves encrypted configuration files from specific domains. The malware's infrastructure allows it to circumvent Android signature verification and adapt its behavior based on the environment, evading detection. Analysis suggests involvement from Chinese-speaking operators, with connections to underground economies trading stolen data. The campaign combines ad fraud and credential theft, highlighting a dual purpose of monetization and intelligence gathering. Users are advised to limit installations to trusted sources and scrutinize unsolicited APKs to mitigate threats.

AppWizard

July 15, 2025

Konfety Android Malware on Google Play Uses ZIP Manipulation to Imitate Legitimate Apps

Zimperium’s zLabs security research team has identified a new variant of the Konfety Android malware, which employs advanced evasion techniques to bypass security analysis tools while executing fraudulent advertising operations globally. The Konfety malware family, first recognized during a mobile advertising fraud campaign in 2024, initially involved over 250 decoy applications on the Google Play Store and was responsible for 10 billion fraudulent ad requests daily. The malware uses sophisticated ZIP-level manipulation tactics to disrupt analysis tools, including misleading the General Purpose Flag within the APK’s ZIP structure to trigger password prompts and declaring an unsupported compression method in the AndroidManifest.xml file to crash analysis tools. Additionally, it utilizes dynamic code loading and obfuscation to hide malicious functionality, embedding executable code within encrypted assets and maintaining a benign appearance during installation. The malware has developed a command-and-control infrastructure that initiates contact through a sequence of network requests after user agreement acceptance. It also employs stealth techniques to conceal its application icon and name, complicating user identification and removal. Behavioral detection systems can identify malicious activity by monitoring application behavior patterns and network communications.