.jpg)
Many users assume that the Google Play Store only offers safe and trusted apps. However, there are risks that many may not realize, especially for Android users. It's important to remember that due diligence shouldn’t end with a well-known app name—what may seem harmless at first can evolve into a significant security threat.
The Beginning of the Problem
The issue first emerged around early 2024, when researchers uncovered that many previously trusted apps had started exhibiting suspicious behavior. Initially, these apps were considered safe and confirmed not to contain malware. However, further investigation revealed that 180 apps had sent over 200 million fake ad requests.
As the situation evolved, Bitdefender’s security researchers uncovered a large-scale ad fraud campaign, later named Vapor, involving 331 infected apps with over 60 million downloads. These apps were cleverly disguised as harmless, everyday tools—such as utility, lifestyle, QR scanner, and fitness apps. Some of the notable apps involved include AquaTracker, ClickSave Downloader, Scan Hawk, Water Time Tracker, and Translate Scan.
Risks Faced by Users:
- Full-screen, out-of-context ads
- Attempts to steal sensitive user data, including:
- Online service credentials
- Credit card information
- Phishing attacks
- Launching apps without user interaction (which should not be possible)
- Making phones inoperable
.jpg)
How Did This Happen?
One of the tactics used by malicious app developers is called versioning. In this method, apps are initially published on the Play Store without any harmful features, allowing them to pass Google's review process. After the app is approved and downloaded by users, the developers push updates introducing harmful behavior, such as intrusive ads or malicious functionalities. This approach enables them to bypass security checks and cause problems after the app is already installed on users' devices. Even Android 13 security measures were bypassed in this case.
Tactics Used for Avoiding Detection:
- Icon Concealment:
- Developers disable launcher activities or use Android TV-specific APIs to hide apps from users.
- Unauthorized Activity Launching:
- Malware initiates activities without user consent, often pretending to be legitimate apps like Facebook or YouTube.
- Persistence Techniques:
- Apps use dummy broadcast receivers and foreground services to stay active on devices. Even with restrictions on foreground services in newer Android versions, attackers bypass these limitations using native code.
Response and Current Updates
The good news is that Google typically responds quickly to reports of such incidents and removes affected apps as soon as possible. However, cybercriminals are highly adaptive. According to IAS Threat Lab, “Fraudsters behind the Vapor operation have created multiple developer accounts, each hosting only a handful of apps to distribute their operation and evade detection”. This strategy ensures that the removal of any single account has a minimal impact on the overall operation.
It is still not 100% clear who exactly the threat actor(s) are. Researchers believe that the majority of these malicious apps were uploaded to the Play Store between October 2024 and January 2025, with the most recent malware-laden apps being launched in March 2025.
Contact Skyriver IT
While situations like this are unfortunate, your response and the preventive security measures you have in place determine the outcome. It’s not enough to trust that the latest Android update will protect you in every case, nor should you assume that every app on the Google Play Store is safe. Conducting your own due diligence is crucial to avoid issues before they arise. At Skyriver IT, we promote a proactive approach to security—ensuring you're always one step ahead, not reacting after problems occur. With our team of trusted experts, you can focus on what matters most to you. Contact us today for frustration-free IT solutions!
