Redazione RHC : 17 September 2025 14:57
A massive ad fraud scheme called SlopAds has been hiding behind hundreds of “harmless” Android apps and has reached global proportions. Recently, the Satori team at HUMAN described how 224 apps have amassed a total of 38 million installs across 228 countries and territories, generating up to 2.3 billion bids per day at peak times.
Google removed all the detected apps from the Play Store, but the tactic itself deserves a separate analysis: it demonstrates how sophisticated click and impression fraud has become.
The build relies on the simulated launch of malicious behavior. After installation, the app accesses the Mobile Marketing Attribution SDK and determines the source of the install, whether it’s an organic click from Play or a visit to the store via an ad.
Only in the latter case is the fraudulent behavior triggered: the program extracts a module called FatModule from the control server and, if the source is “clean,” behaves as described on the store page. This filter provides useful feedback to system operators: the risk of detection by lower-level analytics is reduced, and fake traffic is obscured by legitimate campaigns.
The FatModule implementation is non-trivial.The app receives four PNG images containing steganographically hidden parts of the APK file. The components are decrypted and assembled on the device, after which the module collects information about the environment (device and browser parameters) and deploys invisible activities in hidden WebView: opening pages, scrolling, initiating clicks, and displaying ads. One monetization method is gaming and news sites, where ads are displayed very frequently; until the invisible window is closed, the impression and click counter increases.
The network of supporting domains is structured on several levels. The platforms promoting the apps converge on the “ad2.cc” node, which serves as a Level 2 C2. In total, approximately 300 domain names related to distribution and management have been identified. On the management server, researchers found AI services with self-explanatory names—StableDiffusion, AIGuide, ChatGLM—suggesting the “conveyor belt” nature of content and app production. According to HUMAN, the main traffic flow came from the United States, which accounted for about 30%, followed by India with 10% and Brazil with 7%.
The scheme is further masked by multi-level obfuscation, and conditional execution based on the installation source makes debugging difficult. As a result, advertising platforms and anti-fraud systems receive a mix of real and false signals, with the latter intentionally activated only when the likelihood of an analyst’s presence is minimal.
HUMAN had already reported another similar scheme, IconAds, involving 352 Android apps, confirming the rapid spread of such operations. In the case of SlopAds, cleaning up the Play Store storefront halted the spread, but the techniques identified—steganography, hidden containers in the browser, and triggering conditional attribution—have already become part of the industrial fraud arsenal.
Redazione