New Play Store warning
Coming just 24-hours after Google’s latest warning that Android is under attack, a new report has uncovered an “extensive and sophisticated ad fraud scheme” that has amassed more than 56 million downloads for 180 malicious apps. Google has now deleted all these apps from its Play Store, but serious damage has been done. Users need to trawl through their phones and remove trivial, vacuous apps.
While ad fraud doesn’t get the same attention as phishing and malware attacks, it operates at a massive scale, and it downgrades your experience on your phone and on the apps you use. It also generates millions in fraudulent revenue for attackers, and those funds are often put to much more dangerous use.
Integral Ad Science (IAS), which discovered this new threat, has dubbed it “Vapor,” given “its ability to ‘evaporate’ any real functionality from apps, leaving behind only intrusive ads. Vapor exploits unsuspecting users and ad networks on a massive scale, representing a highly organized and pervasive ad fraud scheme.”
These so-called “vapor” apps are just the latest to “mimic legitimate apps,” and they target popular categories with the usual empty functionality that continues to be catnip for millions if users. Flashlights, QR code readers, horoscopes, and the like. Please stop downloading such apps from unknown developers. It’s a dangerous habit.
Typical ‘vapor’ apps on Play Store.
“These deceptive designs allow the apps to infiltrate user devices without raising suspicion, enabling fraudulent activities at scale. Version 1 of these apps were introduced into Google Play as functional applications. However, subsequent updates removed legitimate functionality, replacing it with tactics to maximize ad revenue through full-screen interstitial video ads. These intrusive ads completely removed app launch icons and visible UI elements at the expense of deteriorating user experience.”
This devious methodology tricked Google’s Play Store defenses by using a vanilla version of the app as an initial trojan horse before updating with the fraudulent ad code, an update not a new app. “Believing these apps to offer useful functionality, users proceed to install them… However, the true intent of these apps quickly becomes apparent. Upon installation, these apps are often accompanied by a persistent notification, subtly ensuring their continued operation. Some of these apps have no visible icon or ‘open’ button available for the user to interact with.”
The “attack” itself was a screen take-over, with full screen ads shown in a way that prevented a user from closing the app or returning to the home screen, “effectively hijacking the device’s screen and rendering the user’s device largely inoperative.” App identifiers can be found via IAS’s report.
IAS says some of the “Vapor” apps achieved more than a million downloads. “To artificially boost rankings and visibility, threat actors likely employed app install schemes, forcing installations onto devices. This strategy not only inflated download numbers but also positioned these apps higher in rankings, eventually leading to legitimate users discovering and installing them.”
Typical ‘vapor’ app screen hijacks.
In response to the report, Google says “if we find apps that violate our policies, we take appropriate action. We have removed all of the identified apps in this report from Google Play. Android users are also automatically protected from associated apps known to exhibit this type of behavior by Google Play Protect, which is on by default on Android devices with Google Play Services. Google Play Protect will warn users and automatically disable these apps, even when apps come from sources outside of Play.”
Scott Pierce, head of fraud protection at IAS, told me “we found Vapor Apps to present users with persistent and intrusive full screen ads that prevent users from interacting with or even uninstalling them from their devices. The current strain of Vapor is now fully understood by IAS given the characteristics of these apps, and we appreciate the collaboration of our partners at Google in quickly addressing the issue. Google Play Protect will now warn users and automatically disable these apps.”
IAS describes this as “a relentless fraud operation, engineered to manipulate and monetize at scale. Threat actors systematically built or acquired a vast arsenal of apps—often simple UI reskins—leveraging app install schemes to manipulate rankings.” The team warns that “these tactics ensured that unsuspecting users would discover, install, and ultimately fall victim to the scheme. With apps rapidly cycling in and out, and many reaching over one million downloads in record time, Vapor’s scale, speed, and persistence highlight the evolving nature of ad fraud and the ongoing challenge of staying ahead of these operations.”
As for users — stop installing vacuous, pointless apps on your phone.
It really is as simple as that.
