New advertising fraud campaign Exploits 331 Apps with 60 m+ downloads for phishing and intrusive display

March 18, 2025Ravie LakshmananAdvertisements fraud / mobile security

Cybersecurity researchers have warned of a large-scale advertising fraud campaign that used hundreds of malicious apps in the Google Play Store to serve full-scale displays and carry out phishing attacks.

“The apps show outside of the contextual ads and even try to convince the victims to give away registration and credit card information for phishing attacks,” said Bitdefender in a report that was passed on with the Hacker News.

Details of the activity were initially disclosed by Integral ad science (IAS) at the beginning of this month, whereby the discovery of over 180 apps was documented, which were developed for the provision of endless and intrusive interstitial video ads for the screen. The AD fraud scheme became a code name steam.

These apps, which have been removed from Google since then, have camouflaged as legitimate apps and accumulated more than 56 million downloads between them, which generated more than 200 million offer inquiries every day.

“Several developers have created several developer accounts, each organizing only a handful of apps to distribute their company and escape the detection,” said the IAS threat laboratory. “This distributed setup ensures that the completion of a single account would only have a minimal impact on the overall operation.”

Due to the imitation of apparently harmless usefulness, fitness and lifestyle applications, the process successfully caused unintentional users to install them.

Another important aspect is that the threat players use a sneaky technology called versioning, in which the publication of the Play Store a functional app that publish all malicious functions so that it exceeds Google's review process. The functions are removed in subsequent app updates to display intrusive ads.

In addition, the ADS kidnap the entire screen of the device and prevent the victim from using the device so that it is largely not functional. It is examined that the campaign began at some point around April 2024 before expanding at the beginning of this year. In October and November alone, more than 140 false apps were uploaded to the Play Store.

The latest findings from the Romanian company cybersecurity show that the campaign is larger than previously assumed and with up to 331 apps that achieved a total of more than 60 million downloads.

In addition to hiding the app of the app in front of the launcher, some of the identified applications that tried to collect credit card data and user registration information for online services. The malware is also able to peel device information on a server controlled by the attacker.

Another technique used to recognize converting is the use of leanback launcher, a kind of launcher that was specially developed for Android-based television devices, and changing your own name and symbol to output yourself as Google Voice.

“The attackers have found a way to hide the symbols of the apps from the launcher, which is restricted to recent Android literations,” said Bitdefender. “The apps can start without user interaction, although this should not be technically possible in Android 13.”

It is believed that the campaign is the work of a single threat player or several cyber criminals that use the same packing tool that is offered for sale in underground forums.

“The applications examined bypass the security restrictions for Android to start the activities, even if they do not run in the foreground, and without the necessary authorizations, the users with continuous, fully formative ads spam,” added the company. “The same behavior is used to serve UI elements with phishing attempts.”