224 Malicious Android Apps on Google Play With 38 Million Downloads Delivering Malicious Payloads

A sophisticated mobile ad fraud operation dubbed “SlopAds” has infiltrated Google Play Store with 224 malicious applications that collectively amassed over 38 million downloads across 228 countries and territories.

The campaign represents one of the most extensive mobile fraud schemes discovered to date, utilizing advanced steganography techniques and multi-layered obfuscation to deliver fraudulent advertising payloads while evading detection mechanisms.

The threat actors behind SlopAds demonstrated remarkable sophistication by implementing a conditional fraud system that only activated when users downloaded apps through specific advertising campaigns, rather than organic Play Store visits.

This selective activation mechanism helped the malicious applications maintain their presence on the platform for extended periods while appearing legitimate to casual users and automated security systems.

Human Security analysts identified the operation while investigating anomalous patterns in their Ad Fraud Defense solution data.

The researchers discovered that SlopAds applications were generating approximately 2.3 billion fraudulent bid requests daily at peak operation, with traffic distribution heavily concentrated in the United States (30%), India (10%), and Brazil (7%).

The campaign’s global reach and massive scale underscore the threat actors’ sophisticated infrastructure and operational capabilities.

The malicious applications employed Firebase Remote Config, a legitimate Google development tool, to retrieve encrypted configuration data containing URLs for downloading the primary fraud module called “FatModule.”

This abuse of trusted development platforms demonstrates how cybercriminals increasingly leverage legitimate services to mask their malicious activities and avoid detection by security solutions.

Advanced Steganographic Payload Delivery System

SlopAds employed a particularly innovative payload delivery mechanism that showcased the evolving sophistication of mobile malware operations.

The system utilized digital steganography to hide malicious code within seemingly innocuous PNG image files, effectively bypassing traditional security scanning methods that focus on executable file analysis.

When an infected application passed initial verification checks, command-and-control servers delivered four specially crafted PNG files through encrypted ZIP archives.

These images contained hidden APK components that, when decrypted and reassembled, formed the complete FatModule responsible for executing the fraud operations.

The steganographic approach allowed the malicious payload to traverse network security filters and application store scanning systems without triggering conventional malware detection algorithms.

The FatModule incorporated multiple anti-analysis features, including debugging tool detection that specifically searched for hooking frameworks, Xposed modules, and Frida instrumentation tools commonly used by security researchers.

Additionally, the module employed string encryption throughout its codebase and utilized packed native code to obscure its true functionality from static analysis tools.

public static Boolean m45535a() {
    try {
        StackTraceElement[] stackTrace = Thread.currentThread().getStackTrace();
        for (StackTraceElement element : stackTrace) {
            String className = element.getClassName() + "#" + element.getMethodName();
            if (className.toLowerCase().contains("hook") || 
                className.toLowerCase().contains("xpose") || 
                className.toLowerCase().contains("frida")) {
                return true;
            }
        }
    } catch (Exception e) {
        e.printStackTrace();
    }
    return false;
}

The fraud execution occurred within hidden WebViews that collected comprehensive device fingerprinting data, including hardware specifications, network information, and GPU details.

This information enabled precise targeting while the hidden interfaces navigated to threat actor-controlled cashout domains, generating fraudulent advertisement impressions and clicks without user awareness or interaction.

Google has since removed all identified SlopAds applications from the Play Store, and users receive automatic protection through Google Play Protect, which warns against and blocks installation of known malicious applications even from third-party sources.

Free live webinar on new malware tactics from our analysts! Learn advanced detection techniques -> Register for Free