Security researchers at Bitdefender, a renowned cybersecurity firm, have uncovered a widespread ad fraud and phishing campaign involving 331 malicious apps on the Google Play Store. The campaign, named Vapor Operation, successfully evaded Android’s security measures, including those in Android 13, and amassed over 60 million downloads globally.
First identified by IAS Threat Lab in early 2024, the campaign was initially linked to 180 apps. These apps generated an estimated 200 million fraudulent ad requests daily, manipulating advertisers' budgets through fake clicks.
In response, Google has confirmed that "all of the identified apps from this report have been removed from Google Play." However, Bitdefender noted that 15 of these apps were still accessible by the time their research was completed.
Vapor Operation is a sophisticated cybercriminal scheme that has been active since early 2024. Initially, it functioned primarily as an ad fraud operation, designed to exploit advertisers by faking user engagement and maximizing ad revenue through fraudulent clicks.
Over time, the campaign expanded its reach to include 331 apps across various categories, including:
Health tracking apps
QR scanners
Note-taking tools
Battery optimization apps
Some of the fraudulent apps that have been identified include:
AquaTracker, ClickSave Downloader, and Scan Hawk – Each had over 1 million downloads.
TranslateScan and BeatWatch – These apps had between 100,000 to 500,000 downloads.
These apps were primarily distributed on Google Play between October 2024 and March 2025, with a strong presence in:
Brazil
United States
Mexico
Turkey
South Korea
While malware-based attacks are not new, what makes Vapor Operation particularly alarming is its ability to evade Google’s security measures for Android.
The fraudulent apps were initially uploaded as legitimate-looking advertisement tools, ensuring they passed Google Play’s security checks. However, the actual malicious code was later delivered through remote updates from command-and-control (C2) servers.
Once installed, many apps:
Disabled their launcher activity in the AndroidManifest.xml file, effectively hiding their icons from users’ home screens (a technique that Android 13 and later versions have banned).
Renamed themselves in device settings to mimic trusted apps like Google Voice, further concealing their malicious intent.
To remain undetected, these apps leveraged Android’s contact content provider system, which allowed them to launch without user interaction. This method helped them bypass restrictions introduced in Android 13.
Once active on a device, these apps engaged in aggressive ad fraud techniques, including:
Forcing full-screen ads that covered the device interface.
Creating virtual secondary screens to block users from exiting ads.
Disabling the back button to force prolonged ad exposure.
Hiding from the ‘Recent Tasks’ menu, making them difficult to close.
Beyond ad fraud, some apps escalated to phishing attempts, tricking users into entering sensitive credentials on fake login pages imitating:
YouTube
Payment portals
In some cases, fraudulent warning messages appeared, falsely claiming that the device was “infected” and urging users to download more malware in an attempt to extract further data.
This has been a growing concern in India, where many users, particularly non-tech-savvy individuals, have fallen victim to similar scams.
Even though Google has removed most of these apps, it’s essential to adopt proactive security measures. Here’s what you can do:
Only download apps from reputable developers and official sources.
Check app reviews and ratings for signs of suspicious activity.
Go to Settings > Apps > See All Apps and compare them with what’s visible on your home screen to detect hidden malware.
Enable Google Play Protect, which scans installed apps for harmful behavior.
It automatically scans the Google Play Store apps before they are downloaded.
Regularly update your Android OS and installed apps to patch security vulnerabilities.
The discovery of Vapor Operation highlights the persistent threat of cybercriminals exploiting app stores to spread malware and ad fraud. While Google has taken swift action, users must remain vigilant.
With cyber threats evolving rapidly, it's essential to practice safe downloading habits and rely on trusted security tools to protect personal data.
By following best security practices, Android users can minimize risks and safeguard their devices against malicious apps.