SlopAds campaign expands across multiple victims
Campaign
Summary
Hide ▲
Show ▼
The SlopAds Android ad-fraud operation used 224 apps to generate fraudulent ad impressions and clicks at global scale, reaching 38 million downloads across 228 countries and territories. It used steganography and hidden WebViews to conceal the fraud payload and route traffic to threat actor-owned cashout sites. At its peak, the operation produced 2.3 billion bid requests a day, showing how quickly mobile ad abuse can scale. Google has since removed the offending apps from the Play Store, disrupting the operation.
Related Happenings
CallPhantom Google Play fraud campaign targeting Android users in India and Asia-Pacific
Campaign
First: 08.05.2026 18:08
Last: 08.05.2026 18:08
Sources 1
About this happening:
The **CallPhantom** fraud campaign pushed **28 fake call-history Android apps** through the **Google Play Store**, causing **financial loss** for users who paid for fabricated dat...
CallPhantom Google Play fraud campaign targeting Android users in India and Asia-Pacific
CampaignAbout this happening: The **CallPhantom** fraud campaign pushed **28 fake call-history Android apps** through the **Google Play Store**, causing **financial loss** for users who paid for fabricated dat...
Google expands Gemini AI for malicious ad blocking on Google Ads
Security Tool/Service
First: 16.04.2026 18:24
Last: 16.04.2026 18:24
Sources 1
About this happening:
**Google** expanded **Gemini AI** use across its ad platforms to detect and block **malicious ads** in real time, reducing scam and malvertising exposure at scale. The move matter...
Google expands Gemini AI for malicious ad blocking on Google Ads
Security Tool/ServiceAbout this happening: **Google** expanded **Gemini AI** use across its ad platforms to detect and block **malicious ads** in real time, reducing scam and malvertising exposure at scale. The move matter...
SparkCat malware variant in App Store and Google Play apps steals wallet recovery phrases
Malware Activity
First: 03.04.2026 12:10
Last: 03.04.2026 12:10
Sources 1
About this happening:
The **SparkCat** malware resurfaced in a new variant inside apps on the **Apple App Store** and **Google Play Store**, increasing the risk of mobile crypto wallet theft. The malwa...
SparkCat malware variant in App Store and Google Play apps steals wallet recovery phrases
Malware ActivityAbout this happening: The **SparkCat** malware resurfaced in a new variant inside apps on the **Apple App Store** and **Google Play Store**, increasing the risk of mobile crypto wallet theft. The malwa...
Perseus Android malware family actively distributed in the wild
Malware Activity
First: 19.03.2026 14:43
Last: 19.03.2026 14:43
Sources 1
About this happening:
The **Perseus** **Android malware** family is being actively distributed in the wild, putting infected devices at risk of **device takeover** and **financial fraud**. It spreads t...
Perseus Android malware family actively distributed in the wild
Malware ActivityAbout this happening: The **Perseus** **Android malware** family is being actively distributed in the wild, putting infected devices at risk of **device takeover** and **financial fraud**. It spreads t...
IPTV app lure campaign distributing Massiv Android banking malware
Campaign
First: 19.03.2026 12:13
Last: 19.03.2026 12:13
Sources 1
About this happening:
A **recent IPTV app lure campaign** is distributing **Massiv Android banking malware**, putting users who seek **free or low-cost live sports broadcasts** at risk of device compro...
IPTV app lure campaign distributing Massiv Android banking malware
CampaignAbout this happening: A **recent IPTV app lure campaign** is distributing **Massiv Android banking malware**, putting users who seek **free or low-cost live sports broadcasts** at risk of device compro...
Timeline
-
16.09.2025 17:19 2 articles · 8mo ago
SlopAds Android ad-fraud operation
Campaign Scope UpdateSlopAds is a large-scale Android ad-fraud and click-fraud operation that ran 224 apps, drew 38 million downloads across 228 countries and territories, and peaked at 2.3 billion bid requests a day. The apps use steganography, hidden WebViews, a mobile marketing attribution SDK check, and conditional execution tied to ad-click installs to load the FatModule fraud payload from a C2 server; domains promoting the apps link to ad2[.]cc as a Tier-2 C2 server, and Google has removed all the offending apps from the Play Store.
Show sources
- SlopAds Fraud Ring Exploits 224 Android Apps to Drive 2.3 Billion Daily Ad Bids — thehackernews.com — 16.09.2025 17:19
- SlopAds Fraud Ring Exploits 224 Android Apps to Drive 2.3 Billion Daily Ad Bids — thehackernews.com — 16.09.2025 17:19