Tweet
Security researchers uncovered SlopAds, a large ad-fraud campaign, and Google has removed 224 associated apps from the Play Store. The apps were downloaded about 38 million times worldwide and generated billions of fake ad requests, so many users may have been exposed. If you think you installed one, this guide explains the immediate steps to protect your device.
[HEADING=1]What is SlopAds Fraud Ad Campaign[/HEADING]
HUMAN’s Satori Threat Intelligence and Research Team uncovered a mass ad fraud campaign affecting people worldwide. So far, 224 apps have been discovered and taken down (numbers still growing), mainly consisting of utility apps, AI tools, and some games. These apps amassed over 38 million downloads and generated over 2.3 billion ad bid requests per day.
So, how has such a huge ad fraud campaign been executed on the official Play Store? Below is a full breakdown of the clever tactics they used to avoid detection and serve ads.
This allowed the SlopAds campaign to generate billions of ad impressions daily without Google or the infected users finding out until now.
[HEADING=1]How to Check If Your Phone is Infected[/HEADING]
While the ads are invisible, there are still some ways to confirm if your phone has been infected. Below you’ll find methods and signs that can help confirm SlopAds infection:
SOURCE
[HEADING=1]What is SlopAds Fraud Ad Campaign[/HEADING]
HUMAN’s Satori Threat Intelligence and Research Team uncovered a mass ad fraud campaign affecting people worldwide. So far, 224 apps have been discovered and taken down (numbers still growing), mainly consisting of utility apps, AI tools, and some games. These apps amassed over 38 million downloads and generated over 2.3 billion ad bid requests per day.
So, how has such a huge ad fraud campaign been executed on the official Play Store? Below is a full breakdown of the clever tactics they used to avoid detection and serve ads.
- The apps have normal functions like any other app, but they have a checking system to confirm whether the user downloaded the app directly from the Play Store or opened an ad for the app to download it. Avoiding direct downloads allows it to circumvent manual reviews by the Play Store security or independent security researchers who would typically download the app directly.
- If an install is confirmed to be from one of their ad campaigns, the app will contact the C2 server to download images infected with a payload (like the FileFix attack). The images are less suspicious, so they pass most phone and Google Play Store security.
- The code in the images is then decrypted and reassembled in a malicious module (dubbed FatModule in reports). This module gathers device/browser info and creates hidden webviews that can’t be seen by users. These webviews host HTML5 sites with lots of ads to generate impressions. There is also automation code to tap on ads at specific intervals.
This allowed the SlopAds campaign to generate billions of ad impressions daily without Google or the infected users finding out until now.
[HEADING=1]How to Check If Your Phone is Infected[/HEADING]
While the ads are invisible, there are still some ways to confirm if your phone has been infected. Below you’ll find methods and signs that can help confirm SlopAds infection:
- Check the Official List of Removed Apps: HUMAN published the list of infected apps that got taken down by Google. While it doesn’t include apps yet to be discovered, you can still confirm if one of these apps is on your phone or not.
- High Battery Drain: a common sign of hidden activity is sudden high battery drain on Android. If you notice your battery is suddenly dropping too fast, go to Settings → Battery and see which apps are consuming battery. If you see an app that is consuming too much battery without foreground activity, it could be running ads.
SOURCE