A large -scale Android advertisement fraud operation was dubbed after 224 malicious applications on Google Play was used to generate 2.3 billion advertising requests per day.
Advertisement was discovered by fraud campaign Intelligence teamWhich stated that the apps were downloaded more than 38 million times and obfuscation and steganography were employed to hide malicious behavior from Google and safety equipment.
The campaign was worldwide, in which users were installing apps from 228 countries, and slopad traffic accounting for 2.3 billion bidding requests every day. The highest concentration of Ad impression originated from the United States (30%), followed by India (10%) and Brazil (7%).
“Researchers dubbed this operation ‘slopads’ because the appreaps associated with the danger have a large scale produced, a la’AI SlopeAs a reference to a collection of applications and services with A-themes, the danger was hosted on the C2 server of the actors, “Manav explained.
Source: Human Satori
Slopads advertising fraud campaign
Advertisement In advertising fraud, Google’s app review process and safety software had several levels stolen strategies to avoid detection.
If a user has systematically installed a slopad app through the Play Store, without one of the advertisements of the campaign, it will serve as a common app, which will normally demonstrate advertised functionality.
Source: Human Satori
However, if it was determined that the app was established by the user who was reached through one of the actor’s advertising operations, the software used the firebase remote configuration to download an encrypted configuration file which included the URL for advertising malware modules, cashout servers and a JavaScrip.
The app will determine whether it was installed on a valid user’s device, rather than analyzed by a researcher or safety software.
If the app passes in check, it downloads four PNG images that use stagnography to hide a malicious APK pieces, which are used to strengthen the advertising fraud campaign.
Source: Human Satori
Once downloaded, images were dec
Once the fatmodule becomes active, it will use hidden webwules to collect the device and browser information and then navigate on the cachet (cashout) domain controlled by the attackers.
These domains implemented games and new sites, which serve continuously advertisements through hidden webwine, to generate more than 2 billion fraud advertising impressions and clicks, which generates revenue for the attackers.
Human says that the infrastructure of the campaign included several command-end-control servers and more than 300 related promotional domains, suggesting that the danger actors were planning to move beyond the initial 224 recognized apps.
Google has since removed all known slopad apps from the Play Store, and Android’s Google Play Protect has been updated to warn users to uninstall any devices that are found on the devices.
However, the human warns that the refinement of the advertising fraud campaign indicates that the actor of danger will customize his plan to re -try in future attacks.
The passwords broke in 46% of the atmosphere, almost doubled by 25% last year.
Picus Blue Report 2025 Now get a wider look at more conclusions on prevention, detection and data exfIs.
