331 malignant apps with 60 million downloads on Google Play Bypass Android 13 Security

Security researchers from Bitdefender have uncovered a large -scale advertising fraud campaign with 331 malicious apps in the Google Play Store.

These apps that have collected over 60 million downloads use weaknesses in Android 13 to avoid security restrictions and to carry out phishing attacks, advertisement fraud and theft of registration information.

The campaign shows an alarming level of sophistication. The attackers have managed to avoid the restrictions of Android for the start of activities without user interaction and to hide app symbols from the launcher, a function that is prohibited in newer Android versions.

These apps imitate utility applications such as QR scanner, cost trackers, health apps and wallpaper tools, which makes them seem harmless to unsuspecting users.

After installation, these apps show intrusive full screen displays, even if they do not actively run in the foreground. Even worse, some apps try to collect sensitive user information, including login information for online services and credit card data, through phishing attempts.

This behavior is achieved without requiring authorizations that are traditionally associated with such actions, which indicates an advanced technical manipulation of Android -APIs.

Technology followed for discovery

The malicious apps use different techniques to escape recognition:

• Icon hidden: Interfeiters use mechanisms such as deactivating launcher activities or use of APIs for Android TV (Leanback_Launcher) to hide app symbols from users.
• Activity start: By abuse of APIs such as DisplayManager.createVirtualDisplay And Presentation.show()The malware starts activities without permissions. This enables Phishing attacks on full -screen requests that imitate legitimate services such as Facebook or YouTube.
• Persistence mechanisms: The apps use Dummy Broadcast recipients and foreground services to maintain their presence on devices. Even with newer Android versions in which foreground services are restricted, attackers circumvent this restriction with the native code.

Most of these malicious applications became active in the third quarter of 2024 on Google Play. First of all, benign versions of these apps were updated with malware components in the early Q3, said Bitdefender.

The campaign remains active because the latest malware stack was only uploaded to the Play Store on March 4, 2025. At the time of the examination of Bitdefenders, 15 of these apps were still available for download.

The extent of this campaign is unprecedented. While the exact geographical distribution is unclear, the number of downloads shows a widespread influence in several regions.

The attackers seem to be either a single unit or a group that used the same packaging tools bought by the black markets.

In order to discover the detection by security systems and researchers, the malware uses advanced ripening methods:

• String veiling with XOR coding.
• Polymorphic encryption techniques combine AES and BASE64.
• Term tests for the recognition of emulted environments or debugging attempts.
• Use of native libraries veiled with tools such as Armariris.

Implications for users

This discovery illuminates critical weaknesses in the security framework of Android and underlines the need for robust security solutions from third -party providers. Google has proactively remove malicious apps from its platform, but attackers continue to pass their methods.

Bitdefender recommends that users avoid relying exclusively on standard protection provided by Android and Google Play Store.

With attackers who use gaps in Android systems and using highly developed alternative techniques, users must remain vigilant when downloading apps, even from trustworthy platforms such as Google Play Store.

While this campaign unfolds, it serves both users and developers as a wake -up call to prioritize mobile security measures in order to combat increasingly complex threats.

Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.