Security experts have uncovered a large-scale ad fraud operation that infected millions of Android users through seemingly harmless apps downloaded from Google Play. The campaign, known as “Vapor”, involved hundreds of malicious apps that secretly bombarded users with intrusive ads while attempting to steal sensitive data.
The operation was first flagged by IAS Threat Lab, which detected 180 harmful apps posing as utility, fitness, and lifestyle tools. While these apps appeared functional during the initial review, their true purpose emerged once users downloaded updates. These updates stripped the apps of any visible features, making them almost impossible to detect on the device.
According to the IAS report, once the malware fully activated, it immediately took over the user’s screen with endless full-screen video ads. This relentless ad barrage rendered many devices nearly unusable, with victims struggling to regain control.
The malicious apps rapidly gained traction, amassing more than 56 million downloads by the end of January 2025, with noticeable spikes between late 2024 and early 2025. However, cybersecurity firm Bitdefender revealed even more shocking numbers—reporting that 331 malicious apps were part of the scheme, collectively surpassing 60 million downloads.
Further investigation revealed that beyond generating fake ad views, some of these apps were involved in phishing attacks. They attempted to steal personal information, including user credentials and credit card details.
What made the Vapor campaign especially dangerous was its ability to bypass many of Android’s latest security measures. The malware could perform restricted actions like hiding app icons from the launcher, displaying ads outside the app environment, and launching without any user interaction.
Bitdefender’s analysis uncovered apps tailored for Android TV, which could switch their icons on and off freely. Some versions were even capable of hiding from the device’s Settings menu, making manual removal nearly impossible for the average user.
Most of the fraudulent apps appeared on Google Play between August 2024 and January 2025, with a few surfacing as recently as March 2025. Disturbingly, this suggests the campaign was still active when researchers wrapped up their investigation.
Bitdefender found that the apps were programmed to operate independently, displaying ads and phishing prompts without user initiation. These apps connected to dedicated command-and-control (C&C) domains, allowing hackers to send custom messages designed to trick users into providing sensitive data.
Despite the sophisticated techniques used, both IAS and Bitdefender promptly reported their findings to Google. As a result, Google has now removed all identified malicious apps from its store.
In response, Google confirmed the removal of these harmful applications, assuring Android users that Google Play Protect, which runs by default on most Android devices, helps prevent such attacks.
However, cybersecurity experts warn that similar schemes could emerge again. Users are advised to stay vigilant, carefully review app permissions, and avoid downloading unknown apps, even from official stores like Google Play.
