SlopAds Fraud Ring Exploits 224 Android Apps for Ad Fraud
Summary
Hide ▲
Show ▼
A sophisticated ad fraud operation, SlopAds, exploited 224 Android apps to generate 2.3 billion daily ad bids. The apps, downloaded 38 million times across 228 countries, used steganography and hidden WebViews to create fraudulent ad impressions and clicks. The fraud was conditional, activating only if the app was installed via an ad click. Google removed the offending apps from the Play Store and updated Google Play Protect to warn users. The operation leveraged AI-themed services and a complex command-and-control infrastructure. The fraudulent behavior was designed to evade detection by blending malicious traffic into legitimate campaign data. The SlopAds campaign was discovered by HUMAN's Satori Threat Intelligence team, which identified the apps as 'AI slop' due to their mass-produced appearance and AI-themed services. The apps used Firebase Remote Config to download an encrypted configuration file containing URLs for the ad fraud malware module, cashout servers, and a JavaScript payload. The campaign included numerous command-and-control servers and more than 300 related promotional domains, suggesting the threat actors planned further expansion.
Timeline
-
16.09.2025 17:19 2 articles · 13d ago
SlopAds Fraud Ring Exploits 224 Android Apps for Ad Fraud
The SlopAds campaign was discovered by HUMAN's Satori Threat Intelligence team, which identified the apps as 'AI slop' due to their mass-produced appearance and AI-themed services. The apps used Firebase Remote Config to download an encrypted configuration file containing URLs for the ad fraud malware module, cashout servers, and a JavaScript payload. The campaign included numerous command-and-control servers and more than 300 related promotional domains, suggesting the threat actors planned further expansion. Google updated Android's Google Play Protect to warn users to uninstall any SlopAds apps found on devices. The sophistication of the SlopAds campaign suggests that the threat actors may attempt future attacks.
Show sources
- SlopAds Fraud Ring Exploits 224 Android Apps to Drive 2.3 Billion Daily Ad Bids — thehackernews.com — 16.09.2025 17:19
- Google nukes 224 Android malware apps behind massive ad fraud campaign — www.bleepingcomputer.com — 16.09.2025 20:20
Information Snippets
-
SlopAds operated 224 Android apps, attracting 38 million downloads across 228 countries.
First reported: 16.09.2025 17:192 sources, 2 articlesShow sources
- SlopAds Fraud Ring Exploits 224 Android Apps to Drive 2.3 Billion Daily Ad Bids — thehackernews.com — 16.09.2025 17:19
- Google nukes 224 Android malware apps behind massive ad fraud campaign — www.bleepingcomputer.com — 16.09.2025 20:20
-
The apps used steganography and hidden WebViews to generate fraudulent ad impressions and clicks.
First reported: 16.09.2025 17:192 sources, 2 articlesShow sources
- SlopAds Fraud Ring Exploits 224 Android Apps to Drive 2.3 Billion Daily Ad Bids — thehackernews.com — 16.09.2025 17:19
- Google nukes 224 Android malware apps behind massive ad fraud campaign — www.bleepingcomputer.com — 16.09.2025 20:20
-
The fraud was conditional, activating only if the app was installed via an ad click.
First reported: 16.09.2025 17:192 sources, 2 articlesShow sources
- SlopAds Fraud Ring Exploits 224 Android Apps to Drive 2.3 Billion Daily Ad Bids — thehackernews.com — 16.09.2025 17:19
- Google nukes 224 Android malware apps behind massive ad fraud campaign — www.bleepingcomputer.com — 16.09.2025 20:20
-
The operation generated 2.3 billion bid requests daily at its peak.
First reported: 16.09.2025 17:192 sources, 2 articlesShow sources
- SlopAds Fraud Ring Exploits 224 Android Apps to Drive 2.3 Billion Daily Ad Bids — thehackernews.com — 16.09.2025 17:19
- Google nukes 224 Android malware apps behind massive ad fraud campaign — www.bleepingcomputer.com — 16.09.2025 20:20
-
Traffic from SlopAds apps mainly originated from the U.S. (30%), India (10%), and Brazil (7%).
First reported: 16.09.2025 17:192 sources, 2 articlesShow sources
- SlopAds Fraud Ring Exploits 224 Android Apps to Drive 2.3 Billion Daily Ad Bids — thehackernews.com — 16.09.2025 17:19
- Google nukes 224 Android malware apps behind massive ad fraud campaign — www.bleepingcomputer.com — 16.09.2025 20:20
-
The apps queried a mobile marketing attribution SDK to determine the download method.
First reported: 16.09.2025 17:192 sources, 2 articlesShow sources
- SlopAds Fraud Ring Exploits 224 Android Apps to Drive 2.3 Billion Daily Ad Bids — thehackernews.com — 16.09.2025 17:19
- Google nukes 224 Android malware apps behind massive ad fraud campaign — www.bleepingcomputer.com — 16.09.2025 20:20
-
The fraudulent behavior was initiated by downloading the FatModule from the C2 server.
First reported: 16.09.2025 17:192 sources, 2 articlesShow sources
- SlopAds Fraud Ring Exploits 224 Android Apps to Drive 2.3 Billion Daily Ad Bids — thehackernews.com — 16.09.2025 17:19
- Google nukes 224 Android malware apps behind massive ad fraud campaign — www.bleepingcomputer.com — 16.09.2025 20:20
-
The FatModule was delivered via four PNG image files concealing the APK.
First reported: 16.09.2025 17:192 sources, 2 articlesShow sources
- SlopAds Fraud Ring Exploits 224 Android Apps to Drive 2.3 Billion Daily Ad Bids — thehackernews.com — 16.09.2025 17:19
- Google nukes 224 Android malware apps behind massive ad fraud campaign — www.bleepingcomputer.com — 16.09.2025 20:20
-
The operation used HTML5 game and news websites for monetization.
First reported: 16.09.2025 17:192 sources, 2 articlesShow sources
- SlopAds Fraud Ring Exploits 224 Android Apps to Drive 2.3 Billion Daily Ad Bids — thehackernews.com — 16.09.2025 17:19
- Google nukes 224 Android malware apps behind massive ad fraud campaign — www.bleepingcomputer.com — 16.09.2025 20:20
-
The Tier-2 C2 server was identified as ad2[.]cc.
First reported: 16.09.2025 17:191 source, 1 articleShow sources
- SlopAds Fraud Ring Exploits 224 Android Apps to Drive 2.3 Billion Daily Ad Bids — thehackernews.com — 16.09.2025 17:19
-
An estimated 300 domains advertising SlopAds apps have been identified.
First reported: 16.09.2025 17:192 sources, 2 articlesShow sources
- SlopAds Fraud Ring Exploits 224 Android Apps to Drive 2.3 Billion Daily Ad Bids — thehackernews.com — 16.09.2025 17:19
- Google nukes 224 Android malware apps behind massive ad fraud campaign — www.bleepingcomputer.com — 16.09.2025 20:20
-
The operation highlights the evolving sophistication of mobile ad fraud.
First reported: 16.09.2025 17:192 sources, 2 articlesShow sources
- SlopAds Fraud Ring Exploits 224 Android Apps to Drive 2.3 Billion Daily Ad Bids — thehackernews.com — 16.09.2025 17:19
- Google nukes 224 Android malware apps behind massive ad fraud campaign — www.bleepingcomputer.com — 16.09.2025 20:20
-
The SlopAds campaign was discovered by HUMAN's Satori Threat Intelligence team.
First reported: 16.09.2025 20:201 source, 1 articleShow sources
- Google nukes 224 Android malware apps behind massive ad fraud campaign — www.bleepingcomputer.com — 16.09.2025 20:20
-
The SlopAds apps were identified as 'AI slop' due to their mass-produced appearance and AI-themed services.
First reported: 16.09.2025 20:201 source, 1 articleShow sources
- Google nukes 224 Android malware apps behind massive ad fraud campaign — www.bleepingcomputer.com — 16.09.2025 20:20
-
The SlopAds apps used Firebase Remote Config to download an encrypted configuration file containing URLs for the ad fraud malware module, cashout servers, and a JavaScript payload.
First reported: 16.09.2025 20:201 source, 1 articleShow sources
- Google nukes 224 Android malware apps behind massive ad fraud campaign — www.bleepingcomputer.com — 16.09.2025 20:20
-
The SlopAds apps checked if they were installed on a legitimate user's device to avoid detection by security software.
First reported: 16.09.2025 20:201 source, 1 articleShow sources
- Google nukes 224 Android malware apps behind massive ad fraud campaign — www.bleepingcomputer.com — 16.09.2025 20:20
-
The SlopAds apps downloaded four PNG images that used steganography to conceal pieces of a malicious APK, which was reassembled into the FatModule malware.
First reported: 16.09.2025 20:201 source, 1 articleShow sources
- Google nukes 224 Android malware apps behind massive ad fraud campaign — www.bleepingcomputer.com — 16.09.2025 20:20
-
The SlopAds apps used hidden WebViews to gather device and browser information and navigate to ad fraud domains.
First reported: 16.09.2025 20:201 source, 1 articleShow sources
- Google nukes 224 Android malware apps behind massive ad fraud campaign — www.bleepingcomputer.com — 16.09.2025 20:20
-
The SlopAds campaign included numerous command-and-control servers and more than 300 related promotional domains.
First reported: 16.09.2025 20:201 source, 1 articleShow sources
- Google nukes 224 Android malware apps behind massive ad fraud campaign — www.bleepingcomputer.com — 16.09.2025 20:20
-
Google updated Android's Google Play Protect to warn users to uninstall any SlopAds apps found on devices.
First reported: 16.09.2025 20:201 source, 1 articleShow sources
- Google nukes 224 Android malware apps behind massive ad fraud campaign — www.bleepingcomputer.com — 16.09.2025 20:20
-
The sophistication of the SlopAds campaign suggests that the threat actors may attempt future attacks.
First reported: 16.09.2025 20:201 source, 1 articleShow sources
- Google nukes 224 Android malware apps behind massive ad fraud campaign — www.bleepingcomputer.com — 16.09.2025 20:20
Similar Happenings
RaccoonO365 Phishing Network Disrupted by Microsoft and Cloudflare
The RaccoonO365 phishing network, a financially motivated threat group, was disrupted by Microsoft's Digital Crimes Unit (DCU) and Cloudflare. The operation, executed through a court order in the Southern District of New York, seized 338 domains used by the group since July 2024. The network targeted over 2,300 organizations in 94 countries, including at least 20 U.S. healthcare entities, and stole over 5,000 Microsoft 365 credentials. The RaccoonO365 network operated as a phishing-as-a-service (PhaaS) toolkit, marketed to cybercriminals via a subscription model on a private Telegram channel. The group used legitimate tools like Cloudflare Turnstile and Workers scripts to protect their phishing pages, making detection more challenging. The mastermind behind RaccoonO365 is believed to be Joshua Ogundipe, who received over $100,000 in cryptocurrency payments. The group is also suspected to collaborate with Russian-speaking cybercriminals. Cloudflare executed a three-day 'rugpull' against RaccoonO365, banning all identified domains, placing interstitial 'phish warning' pages, terminating associated Workers scripts, and suspending user accounts to prevent re-registration.
Chinese Malware Campaigns Exploit SEO and GitHub Pages to Distribute HiddenGh0st, Winos, and kkRAT
Chinese-speaking users are targeted by a malware campaign using SEO poisoning and fake software sites to distribute HiddenGh0st, Winos, and kkRAT. The campaign manipulates search rankings and uses trojanized installers to deliver the malware. The attacks exploit vulnerabilities in popular software and use various techniques to evade detection and maintain persistence. The malware is designed to establish command-and-control communication, monitor user activity, and steal sensitive information. The campaign was discovered in August 2025 and involves multiple malware families, including HiddenGh0st and Winos, which are variants of Gh0st RAT. The attacks use fake software sites and GitHub Pages to distribute the malware, exploiting the trust associated with legitimate platforms. The malware employs sophisticated techniques to evade detection and maintain persistence, including anti-analysis checks and TypeLib COM hijacking.
AI-Enhanced Malware Campaign Targeting Multiple Sectors
A threat actor is using AI-enhanced malware to target organizations globally. The campaign, dubbed "EvilAI", has infected hundreds of victims across manufacturing, government, healthcare, and other sectors in the US, India, UK, Germany, France, Brazil, and beyond. The malware is concealed within seemingly legitimate productivity and AI-enhanced apps, leveraging digital signatures and realistic features to evade detection. The malware performs extensive reconnaissance, disables security products, and uses obfuscation techniques to avoid detection. It is believed to be setting the stage for future exploit activity, potentially acting as an initial access broker.
Malicious Browser Extensions Target Meta Business Accounts
Cybersecurity researchers have identified two campaigns using fake browser extensions to hijack Meta Business accounts. The extensions, disguised as legitimate tools for Facebook and Instagram verification and ad optimization, steal session cookies and credentials. The attackers target Meta advertisers to sell hijacked accounts on underground forums or repurpose them for further malicious activities. The campaigns are linked to Vietnamese-speaking threat actors and exploit legitimate cloud services and the Chrome Web Store. The first campaign involves fake 'Meta Verified' extensions named SocialMetrics Pro, distributed via malicious ads and fake websites. The second campaign uses rogue Chrome extensions disguised as AI-powered ad optimization tools, including Madgicx Plus and Meta Ads SuperTool. Both campaigns aim to steal sensitive data and compromise Meta Business accounts.
Axios and Direct Send Abuse in Microsoft 365 Phishing Campaigns
Threat actors are exploiting HTTP client tools like Axios and Microsoft's Direct Send feature to create highly efficient phishing campaigns targeting Microsoft 365 environments. These attacks, which began in July 2025, initially targeted executives and managers in finance, healthcare, and manufacturing sectors, but have since expanded to all users. The campaigns use compensation-themed lures to trick recipients into revealing credentials and bypassing multi-factor authentication (MFA). The abuse of Axios has surged, accounting for 24.44% of all flagged user agent activity from June to August 2025. The attacks leverage Axios to intercept, modify, and replay HTTP requests, capturing session tokens or MFA codes in real-time. This method allows attackers to bypass traditional security defenses and conduct phishing operations at an unprecedented scale. Additionally, a phishing-as-a-service (PhaaS) offering called Salty 2FA has been discovered, which steals Microsoft login credentials and sidesteps MFA by simulating various authentication methods. Salty 2FA uses advanced features such as subdomain rotation, dynamic corporate branding, and sophisticated evasion tactics to enhance its phishing campaigns. It also abuses legitimate platforms to stage initial attacks and uses Cloudflare Turnstile for secure CAPTCHA replacement. Salty2FA campaigns have been active since late July 2025 and continue to this day, generating dozens of fresh analysis sessions daily. The campaigns target industries including finance, healthcare, government, logistics, energy, IT consulting, education, construction, telecom, chemicals, industrial manufacturing, real estate, and consulting.