A massive Android app fraud operation has been exposed: Google has removed 224 apps from the Play Store that were part of a massive ad fraud operation, providing lucrative profits for those behind it.
Massive Fraud: Google Removes Over 200 Android Malware Apps
A massive Android app fraud operation has been exposed: Google has removed 224 apps from the Play Store that were part of a massive ad fraud operation, providing lucrative profits for those behind it.
Nadine Dressler
September 21, 2025, 11:30 AM
Google, Android, Hacker, Security, Malware, Trojan, Virus, Adware Portal gda / Flickr
Multi-layered Disguise
According to the HUMAN Satori Threat Intelligence Team, which discovered the attack, these apps have been downloaded over 38 million times in total, affecting 228 countries and regions worldwide.
The infected apps were initially inconspicuous. Users who installed them directly from the Play Store were able to use the advertised features normally. Only when installed through an ad campaign from a fraudulent network does a complex mechanism activate behind the scenes. These apps use Google's Firebase Remote Config to download encrypted configuration files, which include URLs pointing to the malicious code module and a so-called "cashout" server.
Over 300 domains are being used.
Extremely complex: Parts of the actual malicious code are hidden within PNG images. The attackers utilize steganography to conceal fragments of the malicious APK within image files, which are then assembled on the device. This "FatModule" utilizes a hidden WebView to collect device information and redirect users to fraudulent websites that continuously display ads and simulate clicks.
The underlying infrastructure is massive. In addition to the 224 exposed apps, the attackers also used over 300 domains impersonating news or gaming websites. This generates billions of fake ad impressions and clicks daily, generating continuous revenue.
Why is this a problem for end consumers?
The threat to data protection: These apps collect information about devices, users, and their online activities in the background—often without explicit consent and without visibility into the app's behavior. Performance Issues: Because WebViews hidden in the background continuously load deceptive ads, this can reduce battery life, strain internet connections, and impact device performance.
Malware Risk: Downloadable modules ("FatModules") that enter the system through steganography can open up further attack surfaces for malware and data exfiltration.
Ad fraud has a cascading effect: users indirectly waste ad budgets, ultimately raising prices for legitimate services and apps.
Google Responds—But the Danger Remains
Following the disclosure of this attack campaign, Google has removed all affected apps and updated Google Play Protect to proactively warn users not to install or use them.
