The IAS Threat Lab has uncovered a large-scale, fast-evolving ad fraud operation known as Mirage—a sprawling network of fraudulent Android apps designed to hijack user devices and exploit ad ecosystems at massive scale.
Mirage apps masquerade as helpful utilities like phone cleaners and battery boosters. On the surface, they appear harmless. But behind the scenes, they use cloaking techniques and bot-driven installs to quietly switch on aggressive ad fraud behaviour once installed through specific referral links. The result: full-screen interstitial ads that interrupt users out of context, with no real utility provided by the apps themselves.
Threat Lab researchers have identified over 300 Mirage-linked app IDs, collectively amassing more than 70 million downloads and generating over 350 million daily bid requests. These apps were built with one goal in mind: monetize unsuspecting users through persistent, non-consensual advertising.
Mirage marks a troubling evolution of tactics first seen in the Threat Lab-discovered Vapor scheme. Unlike Vapor apps, which gradually stripped away features over time, Mirage apps are designed to mislead from the outset—launching with fake installs to climb app store rankings and turning on monetization only when real users start downloading.
IAS collaborated directly with Google to take swift action against the Mirage operation. Based on Threat Lab intelligence, all identified Mirage apps have been removed from the Google Play Store. Google Play Protect is actively alerting users and will disable these apps automatically, even when installed outside of the Play Store ecosystem.
IAS continues to monitor Mirage’s activity, as its operators rapidly adapt through reskinned apps, recycled developer accounts, and global distribution across North America, Europe, and Asia-Pacific.
Join more than 30,000 advertising industry experts
Get all the latest advertising and media news direct to your inbox from B&T.
Subscribe