FatModule steganographic Android ad-fraud malware
Malware Activity
Summary
Hide ▲
Show ▼
The FatModule Android malware payload was decrypted and reassembled on-device, enabling a concealed ad fraud module that generated fraudulent impressions and clicks at scale. The malware relied on steganographic PNGs and hidden WebViews to avoid detection while gathering device and browser information. Its deployment helped a wider SlopAds operation drive 2.3 billion ad requests per day through malicious apps on Google Play. The scale and concealment of the payload made the fraud harder to detect and easier to sustain across a global victim base.
Related Happenings
TrickMo C TikTok-lure campaign targeting banking and wallet users in France, Italy, and Austria
Campaign
First: 11.05.2026 18:15
Last: 11.05.2026 18:15
Sources 1
About this happening:
The **TrickMo** operators ran an active **TikTok-themed** campaign between **January and February 2026**, targeting **banking and wallet users** in **France, Italy and Austria**....
TrickMo C TikTok-lure campaign targeting banking and wallet users in France, Italy, and Austria
CampaignAbout this happening: The **TrickMo** operators ran an active **TikTok-themed** campaign between **January and February 2026**, targeting **banking and wallet users** in **France, Italy and Austria**....
FakeWallet Apple App Store wallet-stealing apps
Malware Activity
First: 21.04.2026 00:52
Last: 21.04.2026 00:52
Sources 1
About this happening:
The **FakeWallet** app set turned the **Apple App Store** into a delivery channel for **26 malicious wallet lookalikes**, putting crypto holders at risk of account takeover and th...
FakeWallet Apple App Store wallet-stealing apps
Malware ActivityAbout this happening: The **FakeWallet** app set turned the **Apple App Store** into a delivery channel for **26 malicious wallet lookalikes**, putting crypto holders at risk of account takeover and th...
Mirax Android banking trojan with residential proxy nodes
Malware Activity
First: 13.04.2026 17:30
Last: 13.04.2026 17:30
Sources 1
About this happening:
Mirax is spreading across **Europe** with **remote access** and **residential proxy** features, increasing the risk of device compromise, data theft, and traffic abuse. The Androi...
Mirax Android banking trojan with residential proxy nodes
Malware ActivityAbout this happening: Mirax is spreading across **Europe** with **remote access** and **residential proxy** features, increasing the risk of device compromise, data theft, and traffic abuse. The Androi...
Mirax social media ad campaign targeting Spanish-speaking users
Campaign
First: 13.04.2026 17:30
Last: 13.04.2026 17:30
Sources 1
About this happening:
The **Mirax** distribution campaign is using **social media advertisements** and **fake IPTV or streaming apps** to reach **Spanish-speaking users** at scale, raising the risk of...
Mirax social media ad campaign targeting Spanish-speaking users
CampaignAbout this happening: The **Mirax** distribution campaign is using **social media advertisements** and **fake IPTV or streaming apps** to reach **Spanish-speaking users** at scale, raising the risk of...
SparkCat malware variant in App Store and Google Play apps steals wallet recovery phrases
Malware Activity
First: 03.04.2026 12:10
Last: 03.04.2026 12:10
Sources 1
About this happening:
The **SparkCat** malware resurfaced in a new variant inside apps on the **Apple App Store** and **Google Play Store**, increasing the risk of mobile crypto wallet theft. The malwa...
SparkCat malware variant in App Store and Google Play apps steals wallet recovery phrases
Malware ActivityAbout this happening: The **SparkCat** malware resurfaced in a new variant inside apps on the **Apple App Store** and **Google Play Store**, increasing the risk of mobile crypto wallet theft. The malwa...
Timeline
-
16.09.2025 20:20 2 articles · 8mo ago
HUMAN reports FatModule Android ad fraud and Google removal
Technical Analysis UpdateHUMAN's Satori Threat Intelligence team reports that the SlopAds Android ad-fraud operation used steganographic PNG images to reconstruct the FatModule malware payload on-device; after activation, FatModule used hidden WebViews to collect device and browser information and route traffic to attacker-controlled cashout domains. Google removed the known SlopAds apps from Google Play, and Google Play Protect was updated to warn users to uninstall any affected apps found on devices.
Show sources
- Google nukes 224 Android malware apps behind massive ad fraud campaign — www.bleepingcomputer.com — 16.09.2025 20:20
- Google nukes 224 Android malware apps behind massive ad fraud campaign — www.bleepingcomputer.com — 16.09.2025 20:20