Sep 16, 2025Ravie LakshmananAd Fraud / Cell Safety
An enormous advert fraud and click on fraud operation dubbed SlopAds ran a cluster of 224 apps, collectively attracting 38 million downloads throughout 228 international locations and territories.
“These apps ship their fraud payload utilizing steganography and create hidden WebViews to navigate to menace actor-owned cashout websites, producing fraudulent advert impressions and clicks,” HUMAN’s Satori Menace Intelligence and Analysis Workforce stated in a report shared with The Hacker Information.
The title “SlopAds” is a nod to the seemingly mass-produced nature of the apps and using synthetic intelligence (AI)-themed providers like StableDiffusion, AIGuide, and ChatGLM hosted by the menace actor on the command-and-control (C2) server.
The corporate stated the marketing campaign accounted for two.3 billion bid requests a day at its peak, with site visitors from SlopAds apps primarily originating from the U.S. (30%), India (10%), and Brazil (7%). Google has since eliminated all of the offending apps from the Play Retailer, successfully disrupting the menace.
What makes the exercise stand out is that when a SlopAds-associated app is downloaded, it queries a cell advertising attribution SDK to test if it was downloaded immediately from the Play Retailer (i.e., organically) or if it was the results of a consumer clicking on an advert that redirected them to the Play Retailer itemizing (i.e., non-organically).
The fraudulent conduct is initiated solely in eventualities the place the app was downloaded following an advert click on, inflicting it to obtain the advert fraud module, FatModule, from the C2 server. Then again, if it was initially put in, the app behaves as marketed on the app retailer web page.
“From creating and publishing apps that solely commit fraud underneath sure circumstances to including layer upon layer of obfuscation, SlopAds reinforces the notion that threats to the digital promoting ecosystem are solely rising in sophistication,” HUMAN researchers stated.
“This tactic creates a extra full suggestions loop for the menace actors, triggering fraud provided that they’ve motive to consider the system is not being examined by safety researchers. It blends malicious site visitors into authentic marketing campaign information, complicating detection.”
The FatModule is delivered by the use of 4 PNG picture information that conceal the APK, which is then decrypted and reassembled to assemble system and browser info, in addition to conduct advert fraud utilizing hidden WebViews.
“One cashout mechanism for SlopAds is thru HTML5 (H5) sport and information web sites owned by the menace actors,” HUMAN researchers stated. “These sport websites present advertisements continuously, and for the reason that WebView through which the websites are loaded is hidden, the websites can monetize quite a few advert impressions and clicks earlier than the WebView closes.”
Domains selling SlopAds apps have been discovered to hyperlink again to a different area, ad2[.]cc, which serves because the Tier-2 C2 server. In all, an estimated 300 domains promoting such apps have been recognized.
The event comes a little bit over two months after HUMAN flagged one other set of 352 Android apps as a part of an advert fraud scheme codenamed IconAds.
“SlopAds highlights the evolving sophistication of cell advert fraud, together with stealthy, conditional fraud execution and fast scaling capabilities,” Gavin Reid, CISO at HUMAN, stated.
