Steganography, Mobile Marketing Attribution, Code Obfuscation Deployed for Ad Fraud

Rashmi Ramesh (rashmiramesh_) •
September 16, 2025    

'SlopAds' Fraud Campaign Uses Novel Obfuscation Techniques
Image: Shutterstock

A cybercrime crew using Android mobile apps to conduct advertising fraud took unusual pains to hide its activity, concealing malicious code in downloadable digital images and holding off from infecting the subset of users who organically found their apps through the Google Play store.

See Also: From tabletops to threat hunting: Leveraging tabletop exercises for proactive defense

Researchers at Human Security said Tuesday they saw the threat actor behind the campaign operate a collection of 224 apps – and growing – with 38 million collective downloads across the globe. They dubbed the campaign “SlopAds,” since the apps underpinning the campaign have a low-quality sheen indicative of content churned out by generative artificial intelligence. Many of the apps also had an AI theme.

At its peak, the SlopAds campaign accounted for 2.3 billion online ads bids per day. Human Security said it’s in contact with Google Play and helping remove new apps as they’re uploaded.

The apps use a range of tactics to conceal their real purpose. The first is detecting whether the user downloaded an app directly from the Play store, or whether the user first clicked on a digital ad taking the user to the Play store to download the app. The SlopAds threat actor doesn’t use organically downloaded apps for fraud, an approach that helped threat actors avoid early detection.

Apps that pass that check contact a command and control server and receive png image files that contain an Android package kit that, when decrypted and reassembled, form the module that manages the fraud, systematically clicking ads within hidden web browsers. The technique allowed criminals to deliver complex fraud capabilities while appearing to merely transfer graphics files.

The level of obfuscation in the SlopAds campaign makes it stand out from run-of-the-mill ad fraud campaigns, said Lindsay Kaye, vice president of threat intelligence at Human Security. “Many threat actors incorporate obfuscation or multi-stage malware in general, but this is the first time we’ve seen this many layers incorporated, including steganography, which is not something we have recently seen in ad fraud.”

SlopAds apps checked for its download status – organic or ad-driven – by repurposing a mobile marketing attribution platform. Users who clicked through an app ad automatically generated a tag viewable by SlopAds operators. “In terms of sophistication, this is certainly an interesting example of a threat actor seeing how to use this existing tool in part of their campaign which might go unnoticed more easily than a custom utility,” said Kaye.

The apps further searched for debugging tools that might expose their true purpose and included checks for emulators or modified devices commonly used by security researchers. String encryption and packed native code provided additional obfuscation layers designed to frustrate reverse engineering attempts.

The fraud mechanism operated through hidden WebViews that functioned as invisible web browsers on victim devices. These hidden browsers navigated to criminal-controlled cashout websites, typically HTML5 games and news sites that hosted ads. The WebViews collected detailed device and browser information before systematically clicking on viewable advertisements to generate fraudulent revenue streams for the cashout site owners.

“The level of obfuscation is quite complex,” said Joao Santos, senior manager of threat intelligence at Human Security. He described how the apps retrieved encrypted configurations that contained URLs to download the fraud module, connect to cashout domains and deliver JavaScript code to power the click fraud.

Human tied more than 300 related promotional domains to the same network, many of them pointing to tiered command-and-control servers. Analysts said the operators ramped up traffic quickly, indicating that the 224 identified apps may represent only part of the activity.

The cashout mechanism relied on rapid redirections through multiple domains that sanitized referrer data and made fraudulent requests appear more legitimate. The redirections changed tracking parameters multiple times before reaching final destination websites where automated clicking generated revenue for the criminals.

Google removed all identified SlopAds applications from the Play store. The company’s Play Protect system now automatically detects and warns users about applications exhibiting similar behavioral patterns, even when installed from sources outside the official app store. Users with existing installations receive warnings and prompts to uninstall the malicious software.

Although this specific network has been disrupted, the researchers expect the techniques demonstrated in SlopAds to resurface. “We almost always see this cat-and-mouse dynamic come up in any campaign we analyze, simply because financially motivated threat actors are out to make money,” Kaye said.