An enormous Android advert fraud operation dubbed “SlopAds” was disrupted after 224 malicious functions on Google Play have been used to generate 2.3 billion advert requests per day.
The advert fraud marketing campaign was found by HUMAN’s Satori Risk Intelligence crewwhich reported that the apps have been downloaded over 38 million instances and employed obfuscation and steganography to hide the malicious conduct from Google and safety instruments.
The marketing campaign was worldwide, with customers putting in the apps from 228 nations, and SlopAds site visitors accounting for two.3 billion bid requests each day. The very best focus of advert impressions originated from the US (30%), adopted by India (10%) and Brazil (7%).
“Researchers dubbed this operation ‘SlopAds’ as a result of the apps related to the menace have the veneer of being mass produced, a la ‘Again up slop‘, and as a reference to a group of AI-themed functions and providers hosted on the menace actors’ C2 server,” defined HUMAN.
Android apps related to SlopAds advert fraud marketing campaign
Supply: HUMAN Satori
The SlopAds advert fraud marketing campaign
The advert fraud contained a number of ranges of evasion techniques to keep away from being detected by Google’s app overview course of and safety software program.
If a person put in a SlopAd app organically via the Play Retailer, with out coming from one of many marketing campaign’s advertisements, it could act as a standard app, performing the marketed performance as regular.
SlopAds advert fraud malware workflow
Supply: HUMAN SATORI
Nevertheless, if it was decided that the app was put in by the person clicking arriving by way of one of many menace actor’s advert campaigns, the software program used Firebase Distant Config to obtain an encrypted configuration file that contained URLs for the advert fraud malware module, cashout servers, and a JavaScript payload.
The app would then decide if it was put in on a legit person’s gadget, fairly than being analyzed by a researcher or safety software program.
If the app passes these checks, it downloads 4 PNG pictures that make the most of steganography to hide items of a malicious APK, which is used to energy the advert fraud marketing campaign.
Malicious code hidden in pictures utilizing steganography
Supply: HUMAN Satori
As soon as downloaded, the pictures have been decrypted and reassembled on the gadget to kind the whole “FatModule” malware, which was used to conduct the advert fraud.
As soon as FatModule was activated, it could use hidden WebViews to collect gadget and browser data after which navigate to advert fraud (cashout) domains managed by the attackers.
These domains impersonated sport and new websites, serving advertisements constantly via hidden WebView screens to generate over 2 billion fraudulent advert impressions and clicks per day, thereby creating income for the attackers.
HUMAN says the marketing campaign’s infrastructure included quite a few command-and-control servers and greater than 300 associated promotional domains, suggesting that the menace actors have been planning on increasing previous the preliminary 224 recognized apps.
Google has since eliminated all the identified SlopAds apps from the Play Retailer, and Android’s Google Play Shield has been up to date to warn customers to uninstall any which are discovered on gadgets.
Nevertheless, HUMAN warns that the sophistication of the advert fraud marketing campaign signifies that the menace actors will seemingly adapt their scheme to strive once more in future assaults.
46% of environments had passwords cracked, almost doubling from 25% final 12 months.
Get the Picus Blue Report 2025 now for a complete take a look at extra findings on prevention, detection, and information exfiltration traits.
