SlopAds Fraud Ring Exploits 224 Android Apps to Drive 2.3 Billion Daily Ad Bids
Summary
Hide β²
Show βΌ
A fraudulent ad operation, SlopAds, has been identified, exploiting 224 Android apps to generate 2.3 billion ad bids daily. The apps, collectively downloaded 38 million times across 228 countries, use steganography and hidden WebViews to create fraudulent ad impressions and clicks. The operation was disrupted after Google removed the offending apps from the Play Store. The SlopAds campaign is notable for its sophisticated tactics, including conditional fraud execution and the use of AI-themed services for command and control. The fraudulent behavior is triggered only when apps are downloaded via ad clicks, making detection more challenging. The campaign's infrastructure includes multiple domains and a complex feedback loop designed to evade security researchers. The campaign's highest concentration of ad impressions originated from the United States (30%), followed by India (10%) and Brazil (7%).
Timeline
-
16.09.2025 17:19 π° 2 articles Β· β± 1d ago
SlopAds Fraud Ring Exploits 224 Android Apps to Drive 2.3 Billion Daily Ad Bids
The ad fraud campaign was discovered by HUMAN's Satori Threat Intelligence team, which reported that the apps were downloaded over 38 million times and employed obfuscation and steganography to conceal the malicious behavior from Google and security tools. The campaign was worldwide, with users installing the apps from 228 countries, and SlopAds traffic accounting for 2.3 billion bid requests every day. The highest concentration of ad impressions originated from the United States (30%), followed by India (10%) and Brazil (7%).
Show sources
- SlopAds Fraud Ring Exploits 224 Android Apps to Drive 2.3 Billion Daily Ad Bids β thehackernews.com β 16.09.2025 17:19
- Google nukes 224 Android malware apps behind massive ad fraud campaign β www.bleepingcomputer.com β 16.09.2025 20:20
Information Snippets
-
The SlopAds operation involved 224 Android apps, collectively downloaded 38 million times across 228 countries.
First reported: 16.09.2025 17:19π° 2 sources, 2 articlesShow sources
- SlopAds Fraud Ring Exploits 224 Android Apps to Drive 2.3 Billion Daily Ad Bids β thehackernews.com β 16.09.2025 17:19
- Google nukes 224 Android malware apps behind massive ad fraud campaign β www.bleepingcomputer.com β 16.09.2025 20:20
-
The apps used steganography and hidden WebViews to generate fraudulent ad impressions and clicks.
First reported: 16.09.2025 17:19π° 2 sources, 2 articlesShow sources
- SlopAds Fraud Ring Exploits 224 Android Apps to Drive 2.3 Billion Daily Ad Bids β thehackernews.com β 16.09.2025 17:19
- Google nukes 224 Android malware apps behind massive ad fraud campaign β www.bleepingcomputer.com β 16.09.2025 20:20
-
The campaign generated 2.3 billion ad bids daily at its peak.
First reported: 16.09.2025 17:19π° 2 sources, 2 articlesShow sources
- SlopAds Fraud Ring Exploits 224 Android Apps to Drive 2.3 Billion Daily Ad Bids β thehackernews.com β 16.09.2025 17:19
- Google nukes 224 Android malware apps behind massive ad fraud campaign β www.bleepingcomputer.com β 16.09.2025 20:20
-
The fraudulent behavior was triggered only when apps were downloaded via ad clicks.
First reported: 16.09.2025 17:19π° 2 sources, 2 articlesShow sources
- SlopAds Fraud Ring Exploits 224 Android Apps to Drive 2.3 Billion Daily Ad Bids β thehackernews.com β 16.09.2025 17:19
- Google nukes 224 Android malware apps behind massive ad fraud campaign β www.bleepingcomputer.com β 16.09.2025 20:20
-
The operation used AI-themed services like StableDiffusion, AIGuide, and ChatGLM for command and control.
First reported: 16.09.2025 17:19π° 2 sources, 2 articlesShow sources
- SlopAds Fraud Ring Exploits 224 Android Apps to Drive 2.3 Billion Daily Ad Bids β thehackernews.com β 16.09.2025 17:19
- Google nukes 224 Android malware apps behind massive ad fraud campaign β www.bleepingcomputer.com β 16.09.2025 20:20
-
The fraudulent apps were removed from the Google Play Store, disrupting the threat.
First reported: 16.09.2025 17:19π° 2 sources, 2 articlesShow sources
- SlopAds Fraud Ring Exploits 224 Android Apps to Drive 2.3 Billion Daily Ad Bids β thehackernews.com β 16.09.2025 17:19
- Google nukes 224 Android malware apps behind massive ad fraud campaign β www.bleepingcomputer.com β 16.09.2025 20:20
-
The campaign included a feedback loop to evade detection by security researchers.
First reported: 16.09.2025 17:19π° 2 sources, 2 articlesShow sources
- SlopAds Fraud Ring Exploits 224 Android Apps to Drive 2.3 Billion Daily Ad Bids β thehackernews.com β 16.09.2025 17:19
- Google nukes 224 Android malware apps behind massive ad fraud campaign β www.bleepingcomputer.com β 16.09.2025 20:20
-
The FatModule, delivered via PNG image files, gathered device and browser information and conducted ad fraud.
First reported: 16.09.2025 17:19π° 2 sources, 2 articlesShow sources
- SlopAds Fraud Ring Exploits 224 Android Apps to Drive 2.3 Billion Daily Ad Bids β thehackernews.com β 16.09.2025 17:19
- Google nukes 224 Android malware apps behind massive ad fraud campaign β www.bleepingcomputer.com β 16.09.2025 20:20
-
The operation used HTML5 game and news websites for monetization through hidden WebViews.
First reported: 16.09.2025 17:19π° 2 sources, 2 articlesShow sources
- SlopAds Fraud Ring Exploits 224 Android Apps to Drive 2.3 Billion Daily Ad Bids β thehackernews.com β 16.09.2025 17:19
- Google nukes 224 Android malware apps behind massive ad fraud campaign β www.bleepingcomputer.com β 16.09.2025 20:20
-
The campaign's infrastructure included 300 domains advertising the fraudulent apps.
First reported: 16.09.2025 17:19π° 2 sources, 2 articlesShow sources
- SlopAds Fraud Ring Exploits 224 Android Apps to Drive 2.3 Billion Daily Ad Bids β thehackernews.com β 16.09.2025 17:19
- Google nukes 224 Android malware apps behind massive ad fraud campaign β www.bleepingcomputer.com β 16.09.2025 20:20
Similar Happenings
FileFix Attack Using Steganography to Deploy StealC Infostealer
A new FileFix social engineering campaign impersonates Meta account suspension warnings to trick users into installing the StealC infostealer malware. The attack uses steganography to hide malicious scripts and executables within a JPG image. The campaign targets various credentials, cryptocurrency wallets, and cloud services. The FileFix technique abuses the File Explorer address bar to execute PowerShell commands, bypassing traditional detection methods. The attack was discovered by Acronis and observed over a two-week period, with multiple variants using different payloads and domains. The StealC malware aims to steal sensitive information from infected devices, including browser credentials, messaging app data, and cryptocurrency wallets. The FileFix technique was created by red team researcher mr.d0x and has been previously used by the Interlock ransomware gang. The attack uses a multilingual phishing site to trick users into copying and pasting a malicious command into the File Explorer address bar. The campaign abuses Bitbucket repositories to host malicious components, leveraging trust in the platform to bypass detection. The FileFix campaign is the most widespread, customized, and sophisticated to date, targeting users in over 16 countries. The phishing site has been translated into at least 16 different languages. The attack chain involves a phishing email impersonating Facebook security, warning users of account suspension. The attack uses AI-generated images in the steganography process. The FileFix technique is more elegant and less suspicious than ClickFix, using File Explorer instead of the Run dialog. The FileFix attack offers a broader range of high-value targets due to its use of File Explorer. Security researcher Eliad Kimhy predicts an increase in FileFix attacks in the near future. The FileFix attack involves a fake Cloudflare Turnstile verification page that redirects users to a Windows File Explorer search query. The attack uses a Windows shortcut LNK file disguised as a PDF to initiate the infection chain. The LNK file downloads a legitimate AnyDesk installer and a malicious MSI package that installs MetaStealer. The MSI package contains a DLL and a CAB archive with malicious files, including a MetaStealer dropper. The MetaStealer dropper is protected with Private EXE Protector and is designed to steal cryptocurrency wallets. The attack leverages the Windows search protocol to redirect users to an attacker-controlled SMB share. The FileFix attack has evolved to include a more sophisticated infection chain that bypasses traditional detection methods. The attack uses a multi-stage process involving Windows File Explorer, a fake PDF lure, and an MSI package to deploy MetaStealer. The FileFix attack has been observed to use a combination of social engineering and advanced technical techniques to evade detection.
SEO Poisoning Campaign Targets Chinese Users with HiddenGh0st, Winos, and kkRAT
A sophisticated SEO poisoning campaign targets Chinese-speaking users with malware, including HiddenGh0st, Winos, and kkRAT. The attackers manipulate search rankings to distribute trojanized installers for popular software, leading to the deployment of remote access trojans (RATs). The malware employs various techniques to evade detection and achieve persistence, including anti-analysis checks, DLL side-loading, and TypeLib COM hijacking. The campaign aims to establish command-and-control communication, monitor user activity, and steal sensitive information. The attackers use fake software sites and GitHub Pages to distribute malware. The malware is designed to disable antivirus software and achieve persistence through scheduled tasks and registry modifications. The campaign has been active since at least May 2025 and involves multiple malware families, including kkRAT, which shares code similarities with Gh0st RAT and Big Bad Wolf.
EvilAI Malware Campaign Targets Multiple Sectors Globally
A threat actor, tracked as EvilAI, is using AI-enhanced malware disguised as legitimate productivity and AI-enhanced apps to target organizations in various sectors worldwide. The malware is spread rapidly across multiple regions, including the US, India, the UK, Germany, France, and Brazil. The malware features realistic functionality and stealthy payload delivery, making it difficult to detect with traditional antivirus tools. The campaign uses digital signatures from newly registered entities to lend authenticity to the malicious apps. Once installed, the malware performs extensive reconnaissance, disables security products, and sets the stage for future exploit activities. The malware is likely being used by an initial access broker (IAB) to gain initial access and establish persistence.
Fake Meta Verified and Madgicx Extensions Target Meta Business Accounts
Two campaigns are distributing fake browser extensions to steal Meta Business accounts. The first campaign uses malvertising to push fake 'Meta Verified' extensions, while the second targets Meta advertisers with rogue Chrome extensions pretending to be AI-powered ad optimization tools. The extensions steal session cookies, credentials, and interact with the Facebook Graph API to hijack accounts. The attacks are linked to Vietnamese-speaking actors and aim to sell hijacked accounts on underground forums. The fake 'Meta Verified' extensions are hosted on Box and use Telegram bots to exfiltrate data. The Madgicx Plus extensions are available on the Chrome Web Store and have been installed by multiple users. Both campaigns exhibit sophisticated techniques to industrialize malvertising and account hijacking.
Axios and Microsoft Direct Send Abused in Advanced Phishing Campaigns
Threat actors are abusing HTTP client tools like Axios and Microsoft's Direct Send feature to conduct highly efficient phishing campaigns. These attacks target Microsoft 365 environments, achieving a 70% success rate. The campaign began in July 2025, initially focusing on executives and managers in finance, healthcare, and manufacturing sectors before expanding to all users. The attacks use compensation-themed lures and malicious QR codes to steal credentials. Axios is used to intercept, modify, and replay HTTP requests, bypassing multi-factor authentication (MFA) and hijacking session tokens. The phishing kits also employ advanced evasion tactics, including geofencing and IP filtering, to avoid detection. Organizations are advised to secure Direct Send, configure anti-spoofing policies, and train employees to recognize phishing attempts.