Fraudsters sneaks 300+ ad fraud apps with 60 m downloads on Google Play

Cybersecurity researchers from Bitdefender have discovered a malicious advertising fraud campaign that was successfully used in the Google Play Store. These malicious apps have been downloaded over 60 million times, which means that users are exposed to invasive ads and phishing attempts.

Malicious apps in the Google Play Store

The Google Play Store, a popular platform for Android applications, has become the goal for cybercriminals. Despite the efforts of Google to maintain a safe environment by removing malicious apps, attackers continuously adapt new methods to slip them into one or the other.

According to Bitdefender's report, HackRead.com was shared before the publishing on Tuesday, and the researchers, together with IAS Threat Lab, attributed this campaign to at least 331 malicious apps, 15 of which were still available on Google Play at the time of their investigation. These apps represent harmless supply companies such as QR scanner, cost trackers, health apps and wallpapers apps.

Many of these apps initially seemed harmless, but were later updated to record malicious codes. The fraud campaign, which has been active since the second quarter of 2024, does not show any signs of slowing down, with new malicious apps in the shop appearing in March 2025. The top 5 counties of this campaign include:

1. Brazil
2. United States
3. Mexico
4. Turkiye
5. South Africa

Hidden iconsPresent Show and press phishing:

One of the techniques is to hide the app symbol from the user's launcher. This method, which is restricted in newer Android versions, suggests that attackers have either found an error or use an API susceptibility to security. Some apps even change their names to imitate legitimate services such as Google Voice and continue to complicate their distance.

These apps are designed in such a way that they are displayed full -scale ads without user consent, even if another app is used. Even worse, you can initiate phishing attacks and get users to uncover sensitive information such as login information and credit card details.

Researchers have also revealed technical strategies used by these malicious apps to discover the detection of infected devices. Such a technique is content -related abuse, in which apps declare a contact content provider that is automatically queried by the system after installation, which activates the execution without user interaction.

There is a different tactic DisplayManager.createVirtualDisplay And other API calls so that the apps can start activities without requesting the user permit. This technique is often used to display intrusive ads or to start phishing attempts.

In order to maintain the persistence, these apps rely on services and dummy recipients to ensure that they remain active on newer Android versions that block certain background activities.

Protect your devices

Usually it is best to download apps from official shops such as Google Play and Apple's App Store. In this case, however, it is recommended to download unnecessary apps from official and third -party providers.

Make sure your device is updated so that security patches are automatically installed. Perform regular malware scans and pay attention to suspicious activities, such as the symbol of an app that suddenly disappears, the name changes, your device slows down or excessive battery outflow. If you notice something unusual, delete the app immediately.