A large-scale Android ad fraud operation known as SlopAds has been disrupted after researchers uncovered 224 malicious applications on Google Play. At its peak, the campaign generated an astonishing 2.3 billion ad requests per day.
The operation was detailed by HUMAN’s Satori Threat Intelligence team, which reported that the apps had been downloaded more than 38 million times before Google removed them. To avoid detection, the threat actors relied on advanced evasion techniques, including obfuscation and steganography, to conceal their malicious activity from Google’s app review system and security tools.
SlopAds had a global footprint, with installations reported across 228 countries. The largest volume of fraudulent traffic originated from the United States (30%), followed by India (10%) and Brazil (7%). Researchers explained that the name “SlopAds” came from the low-quality, mass-produced nature of the apps, resembling “AI slop,” and the fact that the attackers hosted AI-themed services on their infrastructure.
The SlopAds campaign deployed a two-faced app strategy. If a user downloaded an app directly from the Play Store, it behaved like a normal application, offering the promised functionality. However, when the app was installed via one of the attackers’ ad campaigns, it activated hidden fraud mechanisms.
The apps used Firebase Remote Config to fetch an encrypted configuration file containing URLs for ad fraud modules, cashout servers, and JavaScript payloads. To further evade researchers, the apps verified whether they were running on a legitimate device or under analysis.
If the checks passed, the apps downloaded four PNG images that secretly contained fragments of a malicious APK through steganography. Once reassembled, this APK created a malware module called FatModule, which powered the ad fraud operation.
FatModule executed the fraud by running hidden WebViews to collect device and browser fingerprints and then connect to attacker-controlled domains. These domains impersonated legitimate gaming and news websites, continuously serving ads in the background. This process generated billions of fraudulent ad impressions and clicks daily, funneling revenue back to the attackers.
The campaign’s infrastructure included over 300 promotional domains and multiple command-and-control servers, indicating that the attackers were preparing for significant expansion beyond the 224 known apps.
Although Google has now removed the identified apps and updated Google Play Protect to warn users about them, researchers caution that the sophistication of SlopAds suggests the group will likely attempt a comeback with refined techniques.
Android users are advised to check their devices for unfamiliar or suspicious apps. They should rely on trusted developers and sources when downloading software. Users are also advised to keep Google Play Protect enabled and regularly updated.
