Google Play apps with 38 million downloads linked to massive ad fraud scheme 

Security researchers have discovered one of the largest mobile ad fraud schemes in recent years, involving 224 apps on the Google Play Store with more than 38 million downloads worldwide.

The operation, dubbed SlopAds, secretly generated fake ad views and clicks in the background, stealing advertising dollars while offering no real engagement to brands.

The campaign was uncovered by HUMAN’s Satori Threat Intelligence team, which reported the apps to Google.

In response, Google removed all the fraudulent apps and activated Play Protect, its automatic defense system that warns users and prompts them to uninstall harmful apps.

How the scam worked 

According to researchers, SlopAds hid its fraud mechanisms using steganography and WebViews, simplified browsers embedded in apps.

These tools allowed the apps to open hidden windows, navigate to cashout sites controlled by fraudsters, and rack up fake ad impressions. At its peak, SlopAds was responsible for a staggering 2.3 billion bid requests per day, highlighting how costly the scheme could be for advertisers worldwide.Interestingly, the fraud was carefully engineered to remain undetected. Only apps downloaded after clicking on a SlopAds-controlled ad were activated to commit fraud, while others stayed dormant. Researchers described this as a “novel abuse of marketing attribution technology”, showing how sophisticated ad fraud tactics have become.

“All users who have these identified apps installed on their device will receive a warning and will be prompted to uninstall them. Play Protect is on by default on Android devices with Google Play Services,” the report reads.

Global reach and AI branding 

SlopAds’ fake ad traffic spanned 228 countries and territories, with most originating from the United States (31%), followed by India (11%) and Brazil (7%).

Many of the fraudulent apps, along with the domains and servers used in the campaign, carried an AI theme, which inspired the SlopAds name.

The apps also collected large amounts of device and browser data, allowing the fraudsters to tailor operations for maximum effectiveness.

Encrypted instructions, delivered via Google’s Firebase platform, directed the apps to fraud modules, cashout sites, and scripts needed to generate revenue.

In some cases, even the fraud management module was hidden inside PNG images, later reassembled on users’ devices to form executable code.

One of the key cash-out methods involved HTML5 (H5) games and news sites owned by the fraudsters. These sites displayed ads at high frequency, but because they were loaded in hidden WebViews, users never saw them.Meanwhile, advertisers paid for impressions and clicks that never reached a real audience.For users, the apps appeared harmless but quietly drained device resources in the background. For advertisers, the losses ran into millions of dollars in wasted ad budgets.What you should know 

This is not the first time fraudsters are hiding under apps on the Google Play Store to defraud or attack users.

In October last year, Zscaler ThreatLabz research team revealed that more than 200 apps on the Google Play Store, downloaded nearly eight million times, were found to be malicious.

According to the report, Nigeria is one of the top 10 countries in the world targeted by these mobile malware attackers.

Other top targets include India, the US, Canada, South Africa, the Netherlands, Mexico, Brazil, Singapore, and the Philippines.

Follow us for Breaking News and Market Intelligence.