Security researchers have uncovered one of the largest mobile ad fraud operations in recent years, involving 224 apps on the Google Play Store with more than 38 million downloads globally.
The scheme, dubbed SlopAds, secretly generated fake ad views and clicks in the background, siphoning advertising revenue while providing no real user engagement. At its peak, the operation produced 2.3 billion bid requests daily.
The fraud was discovered by HUMAN’s Satori Threat Intelligence team, which promptly reported the apps to Google. The tech giant has since removed the apps and activated its Play Protect system to warn users and prompt uninstalls.
Investigators revealed that the apps concealed their fraudulent behavior using steganography and hidden WebViews, which opened invisible browsers to load cashout sites. Many of the apps and domains carried AI-themed names, helping to disguise their true purpose.
SlopAds’ fake traffic spanned 228 countries, with the highest activity traced to the United States, India, and Brazil. Researchers also noted that instructions for the scheme were delivered via Google’s Firebase platform, while some fraud modules were hidden inside PNG images and later reassembled on users’ devices.
Analysts warn that while the apps appeared harmless, they drained device resources and caused significant losses for advertisers, who unknowingly paid millions of dollars for non-existent impressions and clicks.
This discovery follows similar reports of malicious apps on Google Play. In October 2024, more than 200 harmful apps with eight million downloads were identified, with Nigeria ranked among the top 10 most targeted countries.
