350/68 Thursday, September 18, 2025
Google has removed 224 malicious Android applications from the Play Store after researchers from HUMAN Satori Threat Intelligence discovered that they were being used in a massive ad fraud operation known as “SlopAds”, which generated over 2.3 billion fake ad requests per day. These apps had already been downloaded more than 38 million times across 228 countries, with the majority of fake ad traffic-around 30%-originating from the United States.
SlopAds employed sophisticated evasion techniques, such as encryption, remote configuration loading via Firebase, and hiding malicious code inside PNG files using steganography. When the apps detected that they were installed through the attackers’ ads, they would download a malware module called “FatModule” onto the device. This module continuously ran hidden WebView ads, enabling attackers to generate massive revenue from fraudulent ad clicks and impressions.
The SlopAds infrastructure included multiple command-and-control servers and more than 300 related domains, indicating that the attackers may have been preparing to expand the operation further. While Google has removed all identified apps and updated Google Play Protect to alert users to uninstall them, researchers warn that due to the operation’s complexity, attackers may adapt their techniques and return in the future. Users are advised to avoid installing apps from untrusted sources and to regularly check the security of their devices.
