What happened?
In March 2025, security researchers at IAS Threat Labs and Bitdefender uncovered a large-scale ad fraud operation involving more than 300 malicious Android apps hosted on Google Play, which have been collectively downloaded over 60 million times worldwide.
The campaign, dubbed "Vapor", was likely to have been orchestrated by either a single entity or multiple actors using a common tool available on black markets and mostly targets users in Brazil, the United States, Mexico, Turkey, and South Korea.
These apps often offer minimal functionality while masquerading as QR scanners, health apps, or expense trackers. Once installed, they attempt to bypass Android security restrictions, resulting in the affected device bombarding users with full-screen advertisements over other apps, even when the application itself is not running.
Worryingly, many of these ads also double as phishing attempts, aiming to collect user credentials for online services.
As a result of these findings, Google has removed all identified apps from the Play Store, and Google's Play Protect feature will alert users and disable these apps, even when they are downloaded from sources outside the Google Play Store.
A complete list of the 331 malicious apps that were hosted on Google Play, as provided by Bitdefender, can be found here.
So what?
With over three billion Android users globally, the Google Play Store is a frequent target for cybercriminals attempting to bypass security measures. While Google actively removes these threats, criminals continually find ways to adapt.
This campaign attempted to keep the malicious app hidden from the user by hiding the application icon – a behaviour that is no longer allowed in the latest version of Android's OS. The malicious app can also start without user interaction in older versions of Android.
To mitigate risks on devices in your environment:
- Consider implementing restrictions on mobile devices, limiting installations to approved applications only.
- In BYOD (Bring Your Own Device) environments, ensure that your users avoid installing apps from unverified sources.
- Ensure any OS updates are installed in a timely manner as soon as they are available.