Cybersecurity researchers have warned about a large-scale ad fraud campaign that has leveraged hundreds of malicious apps published on the Google Play Store to serve full-screen ads and conduct phishing attacks.
“The apps display out-of-context ads and even try to persuade victims to give away credentials and credit card information in phishing attacks,” Bitdefender said in a report shared with The Hacker News.
Details of the activity were first disclosed by Integral Ad Science (IAS) earlier this month, documenting the discovery of over 180 apps that were engineered to deploy endless and intrusive full-screen interstitial video ads. The ad fraud scheme was codenamed Vapor.
These apps, which have since been taken down by Google, masqueraded as legitimate apps and collectively amassed more than 56 million downloads between them, generating over 200 million bid requests daily.
“Fraudsters behind the Vapor operation have created multiple developer accounts, each hosting only a handful of apps to distribute their operation and evade detection,” the IAS Threat Lab said. “This distributed setup ensures that the takedown of any single account would have minimal impact on the overall operation.”
By mimicking seemingly harmless utility, fitness, and lifestyle applications, the operation has been able to successfully dupe unwitting users into installing them.
Another important aspect is that the threat actors have been found employing a sneaky technique called versioning, which involves publishing to the Play Store a functional app sans any malicious functionality such that it passes Google’s vetting process. The features are removed in subsequent app updates to show intrusive ads.
What’s more, the ads hijack the device’s entire screen and prevent the victim from using the device, rendering it largely inoperable. It’s assessed that the campaign began sometime around April 2024, before expanding at the start of this year. More than 140 bogus apps were uploaded to the Play Store in October and November alone.
The latest findings from the Romanian cybersecurity company show that the campaign is bigger than previously thought, featuring as many as 331 apps that racked up more than 60 million downloads in total.
Besides hiding the app’s icon from the launcher, some of the identified applications have also been observed attempting to collect credit card data and user credentials for online services. The malware is also capable of exfiltrating device information to an attacker-controlled server.
Another technique used for detection evasion is the use of Leanback Launcher, a type of launcher specifically designed for Android-based TV devices, and changing its own name and icon to impersonate Google Voice.
“Attackers figured out a way to hide the apps’ icons from the launcher, which is restricted on newer Android iterations,” Bitdefender said. “The apps can start without user interaction, even though this should not be technically possible in Android 13.”
It’s believed that the campaign is the work of either a single threat actor or several cybercriminals who are making use of the same packing tool that’s advertised for sale on underground forums.
“The investigated applications bypass Android security restrictions to start activities even if they are not running in the foreground and, without required permissions to do so, spam the users with continuous, full-screen ads,” the company added. “The same behavior is used to serve UI elements featuring phishing attempts.”
