224 Apps on Google Play Store Used for Ad Fraud
Google has removed 224 malicious apps linked to the SlopAds ad fraud scheme, which had been generating an estimated 2.3 billion ad requests per day.
Discovery and Scale
The campaign was uncovered by the Satori Threat Intelligence team at Human Security, which found that the apps had been downloaded more than 38 million times. To avoid detection, the attackers relied on obfuscation techniques and steganography—hiding malicious code inside image files—to bypass Google’s defenses and security tools.
The operation was global in scope, with users in 228 countries and regions installing SlopAds apps. The highest number of ad impressions came from the United States (30%), India (10%), and Brazil (7%).
“We named this campaign SlopAds because the apps showed signs of mass production—like AI slop,” Human explained. “It’s also a reference to the collection of AI apps and services we found on the attackers’ command server.”
Evasion Tactics
SlopAds apps behaved differently depending on how they were installed. If a user downloaded one directly from the Play Store, the app appeared legitimate and performed its stated functions. But if installed through a malicious ad link, the app would contact Firebase Remote Config to fetch an encrypted configuration file.
That file contained URLs for downloading the ad fraud module, withdrawal servers, and a JavaScript payload. The malware then checked whether it was running on a real user’s device or under analysis by researchers. If it passed those checks, the app downloaded four PNG images. Hidden inside those images—using steganography—were fragments of a malicious APK file. When combined, these fragments formed the FatModule malware, which powered the ad fraud operation.
How the Fraud Worked
Once activated, FatModule opened hidden WebViews to gather device and browser details and redirect traffic to attacker-controlled domains. These domains, disguised as gaming and news sites, continuously displayed ads through hidden sessions. The result: more than 2 billion fraudulent ad impressions and clicks per day, generating significant illicit revenue.
Infrastructure and Response
Researchers found the campaign’s infrastructure included multiple command servers and over 300 promotional domains, suggesting the operators intended to scale far beyond the 224 identified apps.
Google has now removed all known SlopAds apps from the Play Store, and Google Play Protect has been updated to detect and remove them from users’ devices.
Still, experts warn that the sophistication of the operation means the threat actors are likely to regroup and launch new campaigns.
