A global ad fraud and click fraud operation, dubbed SlopAds, comprising 224 Android apps that collectively amassed more than 38 million downloads across 228 countries and territories.
Under the guise of AI-themed utilities, these apps employ advanced obfuscation techniques—such as steganography and hidden WebViews—to deliver a fraud payload that generates billions of ad impressions and clicks for threat actor–owned cashout sites.
SlopAds infrastructure relies on multiple command-and-control (C2) servers and dedicated promotional domains, indicating a well-resourced threat actor poised to expand the operation further.
At its peak, SlopAds generated 2.3 billion bid requests per day, with traffic originating predominantly from the United States (30 percent), India (10 percent), and Brazil (7 percent).
Promotional domains serve little purpose beyond redirecting users to the Google Play Store listings, and more than 300 such domains have been linked to this threat.
During report assembly, SlopAds developers continued to adapt their toolkit and stage new apps for submission to Google Play, underlining the persistence of this campaign.
Google has since removed all 224 identified apps from its Play Store. Users benefit from Google Play Protect, which issues install-time warnings and blocks behaviors associated with SlopAds—even for apps installed outside of Play—ensuring that all affected devices running certified Android builds are protected by default.
Novel Obfuscation Tactics
SlopAds stands out for its conditional fraud logic: apps perform ad and click fraud only when they detect a non-organic install pathway—i.e., when a user is redirected to the Play Store via an ad click.
The threat actors behind the SlopAds operation took great pains to cover their tracks and make it difficult for the cybersecurity community to unpack and understand how the scheme worked.
This is achieved using a mobile marketing attribution platform to detect campaign tags in the install referrer. Organically installed apps behave normally, displaying only the advertised functionality.
Once a non-organic install is confirmed, the app fetches an encrypted configuration from Firebase Remote Config containing:
- The C2 URL for downloading the ad fraud module (“FatModule”).
- A list of HTML5 cashout domains.
- A JavaScript payload for click fraud.
Four PNG files delivered by the C2 server conceal the FatModule APK via digital steganography.
These files are partially ordinary images; the remaining bytes form encrypted slices of the FatModule, which the app reassembles on-device.
Multiple layers of obfuscation—string encryption, packed native code, and anti-debugging checks—further thwart analysis.
Fraud unfolds within hidden WebViews. Initially, a WebView silently navigates to a URL that harvests granular device and browser data, including emulator or root-detection checks to avoid sandboxed environments.
Subsequent WebViews follow sanitized redirect chains across threat actor–owned domains, auto-clicking viewable ads and generating fraudulent impressions.
Certain cashout sites employ HTML5 games or news portals to maximize ad load and click density before closing the WebView.
Detection, Disruption, and Ongoing Monitoring
Satori researchers uncovered SlopAds while investigating anomalies in HUMAN’s Ad Fraud Defense telemetry.
Domain clustering and promotional activity allowed analysts to map the extensive C2 and traffic-driving network.
Collaboration with the Google Play Store team has led to rapid takedown of new SlopAds apps as they surface.
Customers leveraging HUMAN’s Ad Fraud Defense and Ad Click Defense solutions are insulated from SlopAds impact, with real-time detection and mitigation of fraudulent bid requests and clicks.
Satori continues to monitor for new app submissions, C2 infrastructure changes, and adaptive tactics.
Given the operation’s sophistication and active development, threat actors behind SlopAds are expected to refine their methods and expand their app portfolio in pursuit of continued illicit revenue.
The SlopAds campaign underscores the increasing complexity of threats targeting the digital advertising ecosystem.
Through innovative abuse of attribution platforms and multi-layered obfuscation, adversaries can blend fraudulent traffic with legitimate user behavior to evade detection—highlighting the critical need for advanced, behavior-driven fraud defenses.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
Source link
