Bad apps can hide in plain sight, and Google just pulled the plug on one of the biggest ad fraud operations we’ve seen in a while. Bleeping Computer reports security researchers from HUMAN’s Satori Threat Intelligence team discovered a massive Android ad fraud campaign they’ve dubbed SlopAds, and the scale is staggering.
Defrauding users, advertisers, and the Play Store
The SlopAds campaign used relatively clever techniques
According to the report, 224 malicious apps made their way onto Google Play, collectively racking up more than 38 million downloads. These weren’t fly-by-night APKs floating around shady forums, either. They were live on Google’s official store, which makes this takedown particularly significant. The campaign was generating roughly 2.3 billion ad requests per day, a level of activity that could have been costing advertisers millions in fake impressions.
What made SlopAds stand out was its sophistication. The apps looked and behaved like normal software at first. If you installed one through the Play Store like any other app, it would perform as advertised. But if you clicked on one of the threat actor’s ads before downloading, the app flipped a switch. Using Firebase Remote Config, it quietly pulled down an encrypted configuration file with links to malicious modules and command-and-control servers.
Source: HUMAN Satori / Bleeping Computer
How the malicious code was hidden in PNG images using steganography.
From there, the malware would download four seemingly harmless PNG images that hid pieces of a secondary payload, called “FatModule.” Once reassembled and executed, this malware spun up hidden WebViews on your device, impersonating gaming and news sites to display ads in the background. The scheme resulted in billions of fake ad impressions and clicks every day, draining devices’ resources while lining attackers’ pockets.
Google has since removed all identified SlopAds apps from the Play Store and updated Play Protect to alert users to uninstall them. The company says affected devices should now be safe, but HUMAN warns that the actors behind this campaign were likely preparing to expand beyond the initial 224 apps, and may try again with a new wave of fraudulent software.
How to stay safe from bad apps
While Google’s Play Protect is getting better at catching these threats, it’s still worth being cautious. Avoid installing apps from unknown developers with few reviews, keep Play Protect turned on, and consider running a reputable Android antivirus if you’re particularly concerned. And if your phone suddenly starts running hot or burning through data for no reason, check for apps you don’t recognize, which could be a sign something’s working overtime in the background.
The SlopAds takedown is a win for users, but it’s also a reminder that malicious actors will keep pushing the envelope. Stay vigilant, because as HUMAN researchers warned, this likely won’t be the last big scam campaign we see.
