Security researchers have uncovered an extensive ad fraud scheme relying on hundreds of malicious Android applications hosted on Google Play that amassed over 60 million downloads.
Dubbed Vapor, the campaign was initially flagged by IAS Threat Lab, which identified 180 malicious apps on Google Play designed to “deploy endless, intrusive full-screen interstitial video ads”.
Masquerading as utility, health and fitness, and lifestyle applications, Vapor software infiltrated victims’ devices without raising suspicion: functional when submitted to Google Play, the applications were later updated to generate ad revenue.
The updates, IAS explains in a report (PDF), completely removed the applications’ functionality, hid their icons from the app drawer, and also hid all visible UI elements.
“With the app fully set up, it immediately attempts to barrage the user with full-screen interstitial ads, effectively hijacking the device’s screen and rendering the user’s device largely inoperative,” IAS notes.
The over 180 app IDs identified in Google Play amassed more than 56 million downloads since the beginning of 2024, with significant spikes observed in the third quarter of the year and between November 2024 and January 2025.
According to Bitdefender, however, the number of malicious applications pushed to Google Play as part of the scheme is almost double, at 331, while their combined download count has surpassed 60 million.
In addition to displaying fraudulent ads, the apps engaged in other malicious behavior, such as attempting to collect user credentials and credit card data via phishing.
The applications were designed to bypass protections in some of the latest Android iterations, performing restricted actions such as hiding their icons from the launcher, displaying out-of-context ads over other software, and being able to start without user interaction.
Some of the analyzed applications were using a launcher designed for Android TV, and could disable or enable their icon without restriction, while others could hide themselves from the Settings menu, to avoid being removed.
Most of the applications identified by Bitdefender first became available on Google Play between August 2024 and January 2025, while the most recent ones were published in early March 2025.
“To be clear, this is an active campaign. The latest malware published in the Google Play Store went live in the first week of March, 2025. When we finished the investigation, a week later, 15 applications were still available for download on Google Play,” Bitdefender says.
The cybersecurity firm also noticed that the applications can display ads on the foreground without being started, that they could also display custom messages, such as prompts for user credentials, and that they used custom, dedicated command-and-control (C&C) domains.
Both IAS and Bitdefender reported their findings on the Vapor operation to Google, which removed the offending applications from Google Play.
“All of the identified apps from these reports have been removed from Google Play. Android users are also automatically protected by Google Play Protect, which is on by default on Android devices with Google Play Services,” a Google spokesperson told SecurityWeek.
Related: North Korean Hackers Distributed Android Spyware via Google Play
Related: Necro Trojan Infects Google Play Apps With Millions of Downloads
Related: VPN Apps on Google Play Turn Android Devices Into Proxies
Related: Spyware Found in Google Play Apps With Over 420 Million Downloads
