Google Deletes 224 Android Apps Involved in SlopAds Fraud Scheme

Security experts have recently unveiled a significant ad fraud scheme known as SlopAds, prompting Google to take down 224 apps linked to this illicit campaign from its Play Store. These applications, which have collectively amassed approximately 38 million downloads, generated billions of fraudulent ad requests, potentially exposing countless users to risks. If you suspect you may have downloaded one of these malicious apps, this comprehensive guide will detail immediate actions you can take to safeguard your device.

Understanding the SlopAds Ad Fraud Scheme

The Satori Threat Intelligence and Research Team from HUMAN discovered this widespread ad fraud campaign that has impacted users across the globe. So far, a growing number of 224 apps have been identified and removed, primarily involving utility applications, AI tools, and certain gaming apps. Collectively, these applications were responsible for generating over 2.3 billion ad bid requests daily.

But how did such a massive ad fraud operation remain undetected within the Google Play Store? The following sections outline the sophisticated methods employed by the perpetrators to bypass scrutiny and serve ads effectively.

These apps might appear to function normally, but they include a routine that verifies whether users downloaded the app directly from the Play Store or accessed it via an advertisement. This tactic helps circumvent the routine security checks usually performed by Google employees or independent safety reviewers who download apps directly.
If an app detects that it has been installed through one of its promotional campaigns, it connects to a command-and-control (C2) server to download seemingly benign images containing a hidden payload. This ruse effectively deceives most security checks implemented by Google Play Store and device safety protocols.
The original payload embedded within these images is decrypted and reconstructed into a malicious module, referred to in reports as FatModule. This module collects device and browser information while creating invisible webviews that generate ad impressions without user awareness. Additionally, it executes automation scripts to simulate ad clicks at predetermined intervals.

This elaborate scheme enabled SlopAds to produce billions of fraudulent ad impressions daily without detection until now.

Identifying Potential Infections on Your Device

While the ads themselves may be concealed, there are several indicators that may suggest your device has been compromised. Here are effective methods for verifying a potential SlopAds infection:

Consult the Official List of Removed Applications: HUMAN has released a list of apps identified and removed by Google. Although this list may not capture all malicious applications, it is still a valuable resource for checking your device.
Increased Battery Drain: A sudden drop in battery life is often a telltale sign of hidden activities. Navigate to Settings → Battery to identify which apps are responsible for excessive battery consumption. An application draining battery without being used in the foreground might be engaged in running ads.

Unexpected Behavior on Your Device: Even though the ads run covertly, they might trigger unexpected actions on your phone, such as unsolicited prompts to download unknown apps or random web pages opening without your consent. These anomalies could indicate the presence of the SlopAds threat.

Steps to Remove Malicious Apps

If you identify signs of infection, implementing the following steps can help cleanse your device of harmful applications:

Run a Google Play Protect Scan: As Google works to eliminate these malicious applications, it has also improved Play Protect’s capabilities to identify and inform users of potential threats. To initiate a scan, access the Google Play Store, tap on your profile, select Play Protect, and then click on Scan. This process automatically detects and removes any harmful apps.

Revoke Sensitive Permissions: Malicious applications often exploit sensitive permissions to maintain control, which may hinder uninstallation or allow dangerous actions. Navigate to Settings → Privacy protection → Special permissions to revoke any app permissions that you do not trust. Additionally, don’t forget to check Accessibility → Installed apps to ensure untrusted apps lack accessibility service access.

Reset Your Advertising ID: Engaging with random ads may have adversely influenced your advertising ID, resulting in irrelevant and potentially offensive advertisements. To reset your advertising ID, go to Google → Ads in Settings and tap on Reset advertising ID.

Google ads settings showing reset options

Defensive Measures Against Future Infections

Reports suggest that the SlopAds campaign has not been fully eradicated; many active domains related to the attack remain. To safeguard your device in the future, consider the following preventative measures:

Review App Ratings and Comments: Users often leave feedback when they uninstall apps due to harmful behavior. Be sure to filter reviews, particularly the negative ones. If you spot numerous warnings about increased ad activity or other malicious actions, it’s advisable to avoid those apps.
Scrutinize Requested Permissions: Compare the permissions requested by an app against its intended functionality. For example, why would a basic calculator app require microphone access? If the permissions seem excessive or irrelevant, it’s best to steer clear of that application.
Monitor Data Usage: Since ad-serving apps consume substantial network resources, regularly checking your data usage can help identify any excess data usage. You can do this in Settings → Connection & sharing (or Connectivity) → Data usage.

Keep vigilant regarding apps that were installed through advertisements, as they are primarily associated with this ad fraud scheme. For enhanced security, ensure that you activate recommended Android security settings.

Source & Images