Bitdefender warns that a major ad fraud campaign in the Google Play Store resulted in more than 60 million downloads of malicious apps.
The attackers managed to place at least 331 malicious apps in the Play Store. In addition to displaying full-screen ads, some of the apps also directed users to phishing sites designed to harvest their credentials.
“Most applications first became active on Google Play in Q3 2024,” Bitdefender says. “After further analysis, we saw that older ones that had been published earlier were initially benign and did not contain malware components. The malicious behavior was added afterward, starting with versions from the beginning of Q3.
To be clear, this is an active campaign. The latest malware published in the Google Play Store went live in the first week of March, 2025. When we finished the investigation, a week later, 15 applications were still available for download on Google Play.”
The apps posed as popular utility services, such as QR scanners, budget planners, health apps, and many others.
“One way to keep a malicious app hidden from the user is to hide the icon – a behavior that is no longer allowed in the Android OS,” the researchers write. “We notice that attackers used multiple approaches to solve this problem. The most popular and interesting one is also likely the most efficient.
The app comes with the Launcher Activity (e.g., that the user sees and clicks on) disabled by default. Afterwards, by abusing the startup mechanism provided by the content provider, the samples use native code to enable the launcher, which is likely carried out as an additional technique to evade detection.”
KnowBe4 empowers your workforce to make smarter security decisions every day. Over 70,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.
Bitdefender has the story.
