Facepalm: Google Play is deploying increasingly sophisticated protections to safeguard users against malware and other security threats. Yet skilled threat actors continue to find ways around these defenses, exploiting vulnerabilities to generate revenue and compromise devices at scale.
Earlier this year, Google provided figures about Android's supposed resilience against malware and other security threats. Yet the newly uncovered "SlopAds" campaign shows that Mountain View's defenses remain vulnerable to sophisticated, heavily obfuscated attacks.
Researchers at Satori Threat Intelligence, part of Human Defense Platform, discovered that SlopAds is a complex ad and click fraud campaign built on more than 224 apps. Collectively, those apps were downloaded over 38 million times from Google Play across 228 countries and markets.
The name "SlopAds" comes from the apps' mass-produced, AI-style branding, echoing the flood of low-quality "AI slop" now spreading online. Despite mimicking popular services such as ChatGPT, all of the hundreds of apps were malicious, with activity routed through command-and-control (C2) servers run by the attackers.
SlopAds generated 2.3 billion fake ad requests daily, most impressions coming from the US (30 percent), India (10 percent), and Brazil (7 percent). The researchers said the apps used clever tricks to bypass Google Play's increasingly sophisticated security measures.
When users installed the malware directly from Google Play, it behaved like a typical app with no sign of fraudulent or malicious activity. However, if users installed it after clicking a fraudulent ad, the app downloaded an encrypted configuration file that delivered the malicious payload.
The SlopAds apps retrieved images in PNG format, which used steganography to hide pieces of a malicious APK archive. When assembled, the complete malware – called Fat Module – used hidden Chrome browser instances (WebView) to collect device data and communicate with C2 servers.
The malicious domains generated fake ad requests by impersonating legitimate news websites, providing a continuous stream of ad revenue for the cybercriminals. Satori analysts said the C2 infrastructure included more than 300 domains, showing that the threat actors were ready to expand their "business." Google has removed all 224 identified apps from the Play Store, but SlopAds could reemerge under different names, adapting to Mountain View's countermeasures.