Maya Robertson
Google has taken down 224 malicious Android apps from the Play Store after researchers uncovered a large-scale ad fraud operation dubbed SlopAds. The campaign, identified by HUMAN’s Satori Threat Intelligence team, had been active across 228 countries and territories, generating an estimated 2.3 billion ad requests daily and accumulating more than 38 million downloads.
At first glance, the affected apps appeared legitimate, functioning as described for users who discovered them organically on the Play Store. However, if installed after clicking a related advertisement, the apps would activate hidden malware. Using Firebase Remote Config, they downloaded encrypted configuration files containing links to malicious modules, command-and-control servers, and payload instructions.
The apps then retrieved four PNG image files embedded with concealed code through steganography. Once decrypted and reassembled, the files produced a malware module called FatModule. This component launched hidden WebViews on infected devices, impersonating gaming and news sites to serve ads continuously in the background. The process generated fraudulent impressions and clicks, draining system resources while funneling revenue to the operators.
The campaign employed several layers of obfuscation. The malware only activated if the installation stemmed from a threat actor–controlled ad, reducing the chance of detection during security testing. It also checked whether the device was an emulator or under debugging, halting fraudulent activity if analysis was suspected.
Researchers also noted the campaign’s use of marketing attribution tools to determine whether installs came from ads, a novel tactic in ad fraud. Combined with encrypted strings, packed native code, and staged redirects, these techniques allowed the scheme to bypass detection for months.
Traffic linked to SlopAds was highest in the United States (30%), followed by India (10%) and Brazil (7%). The infrastructure supporting the campaign included numerous command-and-control servers and over 300 promotional domains, indicating that the group behind SlopAds may have been preparing to expand well beyond the initial 224 apps already identified.
All known SlopAds apps have been removed from the Play Store. Google Play Protect has been updated to warn users and prompt uninstallation if any of the apps remain on devices. HUMAN’s researchers caution that the sophistication of the campaign suggests similar attempts may follow, as malicious actors continue to refine techniques for bypassing app review processes.
Experts recommend users remain cautious when downloading apps, even from official sources. Warning signs include unknown developers, poor reviews, or unexplained spikes in data usage and battery drain. Keeping Play Protect enabled and, for high-risk users, supplementing with a reputable mobile security tool can provide additional protection.
The disruption of SlopAds highlights both the growing sophistication of ad fraud schemes and the challenges platforms face in preventing malicious actors from exploiting legitimate ecosystems at scale.
Comments
Loading…