Google removes 224 malicious apps from Play Store in largest ad fraud crackdown

Security researchers dismantle the massive SlopAds operation involving over 38 million downloads, exposing sophisticated methods of ad fraud on the Google Play Store and prompting renewed vigilance in mobile security.

Security researchers have uncovered and dismantled one of the largest ad fraud operations ever discovered on the Google Play Store. The campaign involved 224 malicious Android applications collectively downloaded over 38 million times. These apps, all hosted on the official Google Play Store, were designed to deceptively generate fake advertising views and clicks, defrauding advertisers on a massive scale.

Known as SlopAds, this operation was notable not just for its scale but also for its sophisticated method of evading detection. Initially, the apps appeared and behaved like legitimate software, building user trust. However, once the user interacted with one of the embedded ads, the malicious payload was activated. Using Firebase Remote Config, the apps secretly downloaded encrypted configuration files containing links to malware modules and control servers. The malware downloaded seemingly innocuous PNG images which, in reality, concealed fragments of a secondary payload named FatModule.

Once assembled and executed, this payload created hidden WebViews within the infected devices. These WebViews simulated browsing of gaming and news websites, generating fraudulent ad impressions and clicks in the background without user knowledge. At its peak, this network generated approximately 2.3 billion ad bid requests every day, potentially costing advertisers millions of dollars due to fake impressions and clicks. The highest volume of fraudulent traffic was traced back to the United States, India, and Brazil, with users from 228 countries impacted in total.

Google responded by removing all identified SlopAds applications from the Play Store and updating its Play Protect security system to warn users and prevent further damage. According to Google’s announcement, devices affected by these apps are now considered safe following these actions. However, cybersecurity experts caution that the perpetrators behind SlopAds possess the technical knowledge and resources to launch new waves of similar fraudulent software, warning users to remain vigilant.

This fraud ring’s use of advanced obfuscation techniques, steganography, and dynamic code loading highlights the increasing sophistication of cybercriminals exploiting app marketplaces, even those operated by major tech companies with rigorous security measures. The SlopAds case serves as a stark reminder that malicious actors continue to find innovative ways to infiltrate trusted platforms, necessitating ongoing vigilance from both users and security teams.

The broader context of modern cyber threats includes various methods by which hackers compromise security. Recent reports have pointed to hackers exploiting unexpected vulnerabilities, such as using ultrasonic signals or device sensors like gyroscopes to breach systems even without internet access. Additionally, fraudsters often impersonate banks and trusted companies to steal money, underscoring the critical need for cautious behaviour online.

Overall, the eradication of the SlopAds campaign marks a significant victory for Google and the cybersecurity community, but it underscores the persistent and evolving nature of digital advertising fraud on mobile platforms.

📌 Reference Map:

• Paragraph 1 – ^[1], ^[2], ^[4]
• Paragraph 2 – ^[1], ^[2], ^[4], ^[5]
• Paragraph 3 – ^[1], ^[3], ^[6], ^[7]
• Paragraph 4 – ^[1], ^[5], ^[4]
• Paragraph 5 – ^[1], ^[2], ^[5]
• Paragraph 6 – ^[1], ^[2], ^[7]

Source: Noah Wire Services