Cybersecurity researchers at Bitdefender have discovered a malicious ad fraud campaign that has successfully deployed over 300 applications within the Google Play Store. These malicious apps have collectively been downloaded over 60 million times, exposing users to invasive ads and phishing attempts.
Malicious Apps on the Google Play Store
The Google Play Store, a popular platform for Android applications, has become a target for cybercriminals. Despite Google’s efforts to maintain a safe environment by removing malicious apps, attackers continuously adapt new methods to slip them one way or another.
According to Bitdefender’s report shared with Hackread.com ahead of publishing on Tuesday, its researchers along with IAS Threat Lab traced this campaign back to at least 331 malicious apps, 15 of which were still available on Google Play at the time of their investigation. These apps pose as harmless utilities, such as QR scanners, expense trackers, health apps, and wallpaper apps.
Many of these apps initially appeared harmless but were later updated to include malicious codes. The fraud campaign, active since Q3 2024, shows no signs of slowing down, with new malicious apps still appearing on the store as recently as March 2025. The top 5 counties impacted by this campaign include:
- Brazil
- United States
- Mexico
- Turkiye
- South Africa
Hidden Icons, Pushing Ads and Phishing:
One of the techniques involve hiding the app icon from the user’s launcher. This method, restricted in newer Android versions, suggests that attackers have either found a flaw or are exploiting an API vulnerability. Some apps even change their names to mimic legitimate services like Google Voice, further complicating their removal.
These apps are designed to display full-screen ads without user consent, even when another app is in use. Worse, they can initiate phishing attacks, tricking users into exposing sensitive information such as login credentials and credit card details.
Researchers have also revealed technical strategies used by these malicious apps to evade detection on infected devices. One such technique is Content Provider Abuse, where apps declare a contact content provider that is automatically queried by the system after installation, enabling execution without user interaction.
Another tactic involves activity launching through methods like DisplayManager.createVirtualDisplay and other API calls, allowing the apps to start activities without requiring user permission. This technique is often used to display intrusive ads or launch phishing attempts.
To maintain persistence, these apps rely on services and dummy receivers, ensuring they remain active even on newer Android versions that block certain background activities.
Protect Your Devices
Usually, it’s best to download apps only from official stores like Google Play and Apple’s App Store. However, in this case, it’s advised to avoid downloading unnecessary apps from both official and third-party stores.
Make sure to keep your device updated so security patches are installed automatically. Run regular malware scans and watch for suspicious activity, such as an app’s icon suddenly disappearing, its name changing, your device slowing down, or excessive battery drain. If you notice anything unusual, delete the app immediately.
