DoubleVerify warns of ‘zombie’ Android app fraud surge

DoubleVerify has issued a fraud alert about a mobile scam in which criminals hijack dormant Android developer accounts and use them to publish fraudulent gaming apps on Google Play.

The company said the pattern differs from earlier app store scams that relied on newly created developer accounts. Those accounts often attract heavier scrutiny from app store security systems and then disappear after enforcement action.

DoubleVerify said fraudsters have shifted towards taking over established accounts that have been inactive for months or years. The company described these as “zombie” accounts. It said the prior history of legitimate activity can allow fraudulent apps to pass automated checks that focus on reputation signals.

The company said the resulting apps generate invalid traffic that drains advertiser budgets. It also said many of the apps consume battery power excessively. The firm said this can harm devices on which the apps are installed.

Shift in tactics

DoubleVerify said fraudsters historically infiltrated app stores by creating new developer accounts and adding fake reviews and metadata. It said this approach has become harder to sustain because new accounts receive extra screening and can face rapid takedowns.

In the newer pattern, DoubleVerify said criminals compromise accounts with an existing publishing track record. It said the accounts then return from long periods of inactivity and release multiple gaming apps. The company described these games as generic and low-quality.

DoubleVerify said the published apps can serve intrusive or out-of-context ads. It said the apps can produce large volumes of ad requests that do not correspond with real gameplay.

The firm said it first uncovered the trend in 2025 and expects the activity to increase in the coming months. It also warned that advertisers that depend on app store protections alone may remain exposed.

Detection signals

DoubleVerify said it identified the scheme through patterns in early traffic. It pointed to traffic surges at times of day that do not align with typical casual gaming behaviour.

“In our work protecting our advertiser clients’ campaigns, DV Fraud Lab is constantly on the lookout for suspicious signals,” said Gilit Saporta, VP Product, Fraud & Quality, DoubleVerify.

Saporta said, “The fraudulent gaming apps in this scheme had massive, inexplicable traffic surges very early in the morning – a time when casual gamer traffic is generally at its lowest. They also reached high-volume traffic levels within hours of launch, despite having no marketing presence, poor user reviews and minimal quality scores.”

“The traffic patterns had no relationship to the apps’ actual functionality, suggesting that the ‘users’ were bot clusters programmed to fire ad requests regardless of gameplay. Finally, despite coming from unrelated developer accounts, they share similar backend naming rubric and the same underlying fraudulent infrastructure.”

DoubleVerify said its analysts also saw changes at the account level. It said some accounts appeared to switch topics abruptly after years of inactivity, with developer profiles that previously published niche utilities or hobby apps moving suddenly into casual gaming categories.

“When we took a step back and investigated the accounts from which the apps originated, we noted that the accounts had undergone recent and abrupt “personality” changes, as if they were being inhabited by an outside force,” said Anna Gantman, Fraud Analyst at DV.

Examples cited

DoubleVerify cited examples of developer accounts that appeared to shift focus. One account that had previously published ornithology apps and had been dormant since 2017 returned in 2025 and then released a set of generic gaming apps, according to the company’s findings.

It also pointed to a developer account that had been inactive since 2016 and later returned with game apps positioned as stress-relieving titles. DoubleVerify said these sorts of pivots can act as a signal when combined with other behavioural indicators.

Advertising impact

DoubleVerify said “zombie” accounts matter because many buyers, sellers and platforms treat developer history as a trust signal. It said that can weaken defences if monitoring does not reflect live behaviour.

“Zombie accounts are particularly dangerous because they exploit the industry’s trust in historical reputation,” said Gantman. “Advertisers and platforms often rely on an account’s past activity, not what’s happening in real time.”

DoubleVerify said the fraud can distort campaign measurement because invalid traffic inflates delivery metrics. It also said the approach can affect optimisation decisions when systems treat the traffic as legitimate engagement.

The company said advertisers face brand risk if ads appear in unsuitable environments associated with low-quality content. It also said the activity can evade app store protections when automated screening does not spot the compromised account or the app behaviour.

Real-time monitoring

DoubleVerify said it recommends moving away from reputation-only checks and using real-time behavioural analysis. It said it has added these “zombie account” signatures into its own detection models and monitoring processes.