In early March 2025, researchers from IAS Threat Lab discovered a massive malicious campaign on the Google Play Store. Dubbed "Vapor" by the researchers, the operation involved hiding viruses, such as adware or data stealers, in the code of apps distributed on the store.
This "large and sophisticated ad fraud scheme" relied primarily on the injection of "endless and intrusive full-screen interstitial video ads". In this way, cybercriminals could quickly generate advertising revenue. During its investigations, IAS Threat Lab uncovered 180 fraudulent apps on the Play Store, totaling over 56 million downloads. Unfortunately, these were just the tip of the iceberg.
More than 300 malicious apps
A few weeks later, Bitdefender experts looked into the Vapor campaign. Researchers were able to identify 331 malicious apps on the Google store. These apps not only display "out-of-context ads", but also seek to "persuade victims into providing credentials and credit card information".
In fact, the apps will redirect users to phishing pages, designed to suck up all the data provided. The apps were caught displaying fake login pages for Facebook and YouTube. Similarly, overlay pages attempted to extract banking data from users. With the recovered data, cybercriminals could wreak havoc.
As Bitdefender explains in its report, malware hides in apps that appear harmless, such as note-taking tools, QR code scanners, health tracking solutions, expense tracking, or apps designed to optimize battery life. To lull users' suspicions, the apps are indeed equipped with the promised features. The scammers modify "the functionality of previously benign apps that had already been authorized for the Google Play Store, transforming them into dangerous software." The Vapor campaign apps have accumulated more than 60 million downloads. Most of the victims are located in Brazil, the United States, Mexico, Turkey, and South Korea.
Professional camouflage
To evade Google's vigilance, the hackers used multiple developer accounts. These accounts submitted apps devoid of any malicious payload. The criminal functionality is downloaded after installation under the guise of routine updates. The apps arrived on the Play Store between October 2024 and January 2025.
To remain undetected, the apps will also disappear from the Android app launcher. In some cases, the apps also change their name and icon, transforming into popular apps, such as Google apps. Similarly, the malicious app disappears from the Recents section, which lists recently used apps. The user will not necessarily understand where the intrusive ads that appear on their smartphone screen come from.
Google removes apps
Alerted by researchers, Google promptly removed all pinned apps from its platform. If you find one of these 300 apps on your Android smartphone, we obviously advise you to uninstall it immediately. For safety, take the time to compare the app drawer with the list of apps in Settings. This way, you can flush out apps that have changed appearance.
Bitdefender reminds us that "the Google Play Store is often targeted by cybercriminals who attempt to download malicious apps by bypassing existing protections." Although "Google purges the store of these apps," the "criminals adapt.". Therefore, users should be very careful when downloading apps from the Play Store. It is recommended to stick to apps offered by reputable developers. Before installing an app, be sure to check the comments section. Often, a quick glance can reveal whether an app is displaying intrusive ads or not working as expected.
Source: Bitdfender
0 Comments