A large-scale ad fraud campaign has resulted in more than 60 million downloads of malicious apps from the Google Play Store, according to a new analysis by Bitdefender.
These apps display out-of-context ads, with many attempting to steal user credentials and credit card data via phishing attacks.
The campaign features at least 331 apps, all of which have capabilities to bypass Android security restrictions.
These capabilities enable the apps to remain hidden on devices and activate without user interaction, behaviors that should not be possible in Android 13.
The Bitdefender researchers said the campaign is either the work of one actor, or multiple criminals using the same packaging tool sold on black online markets.
The campaign remains active, with the latest malware published in the Google Play Store going live in the first week of March, 2025.
Most of the applications first became active on Google Play in Q3 2024.
Silviu Stahie, Security Analyst at Bitdefender, told Infosecurity that of the 331 apps observed in the campaign, 10 are still active and have even received updates.
“Google has removed many of the apps, and we can easily conclude that the attackers are trying to modify their malware in their efforts to stay ahead of the detection systems,” he explained.
Stahie added that Google has been informed of the findings and is currently investigating the issues raised.
Apps Staying Hidden from Android Users
The malicious apps mimic simple utility apps such as QR scanners, expense tracking, healthcare and wallpaper.
The investigated applications bypass Android security restrictions and start activities even if they are not running in the foreground. Additionally, without required permissions to do so, they spam the users with continuous, full screen ads and launch phishing attempts.
The apps declare a contact content provider that is automatically queried by the system after the installation has been completed and the application entry point is loaded.
A content provider manages access to a central repository of data, coordinates access to the data storage layer in your application for a number of different APIs and components.
In recent apps used in the campaign, the content provider has been referenced as a string in resources. Previously, it was directly referenced in the app’s manifest.
The researchers said this shows the attackers’ adapting their methods as their tactics are discovered and apps removed from the store.
The attackers were observed using multiple approaches to keep malicious apps concealed from users by hiding the icon, despite this behavior no longer being allowed in the Android operating system (OS).
Some of the apps have been downloaded the Launcher Activity disabled by default. Activity Launcher is an app that allows Android users to directly run some of the activities from installed apps.
After download, by abusing the startup mechanism provided by the content provider, the apps use native code to enable the launcher, which is likely carried out as an additional technique to evade detection.
After the “setup procedure” is complete, the app disables its launchers and the icon disappears entirely from the phone launcher.
This behavior is not permitted in newer Android versions, which suggests the app developers found a vulnerability or are abusing the API.
Another bypass technique used is abusing the Android Leanback Launcher – a launcher specifically designed for Android TV that is not available on regular Android phones.
Some of the apps use an alias of the Leanback Launcher. If the alias is disabled by default and the Leanback Launcher is not shown, the app can choose whether or not to enable or disable the Launcher alias.
The researchers also observed some apps try to hide in Settings to avoid user removal.
Apps Launch Ads and Phishing Attacks Without Permission
Bitdefender observed that the apps were able to show ads on the Android devices without being started, even if another application was running in the foreground.
The mechanism of starting the activity is located in the native library. The apps can run without required permissions by abusing several API calls. An API call is a message sent from a client application to an API endpoint to initiate a specific action or retrieve data.
This enables the attackers to launch phishing attacks on the device screen, requesting users enter credentials from websites such as Facebook and YouTube. In some cases, users have been prompted to provide credit card information under various pretexts.
The researchers noted that it is also common for attackers to scare users with threats of infected devices in an effort to persuade them to install third-party apps that could prove to be dangerous malware, such as banking Trojans.
Most of the apps use custom, dedicated command and control (C2) domains. Different ways of encrypting communication have also been employed, using of AES, Base64 and custom encryption.
Device information is extracted using a dictionary-based structure, but the keys in this dictionary are polymorphed and unique to each application. This constant change makes detection and analysis more difficult.
Image credit: Tada Images / Shutterstock.com