By Over 300 malicious Android apps that downloaded 60 million things from Google Play served as adware or attempted to steal credentials and credit card information.
The operation was initially discovered by IAS Threat Lab, which classified the malicious activity as “Vapour” and stated that it had been ongoing since early 2024.
IAS detected 180 apps as part of the Vapour campaign, which generated 200 million fraudulent advertising bid requests daily to commit large-scale ad fraud.
Bitdefender’s latest published report boosted the number of malicious apps to 331, with many infections reported in Brazil, the United States, Mexico, Turkey, and South Korea.
“The apps display out-of-context ads and even try to persuade victims to give away credentials and credit card information in phishing attacks,” according to Bitdefender.
Although all of these apps have now been removed from Google Play, there is a high possibility that Vapour may resurface in new apps, as threat actors have already demonstrated the ability to circumvent Google’s approval process.
Vapor apps on Google Play
The apps utilised in the Vapour campaign are utilities that provide specialised functionality such as health and fitness tracking, note-taking tools and diaries, battery optimisers, and QR code scanners.
The apps pass Google’s security checks since they feature the advertised functionality and have no malicious components at the time of submission. Instead, the malicious functionality is downloaded after installation via updates sent from a command and control (C2) site.
Malicious-Droid-App
Some notable cases highlighted by Bitdefender and IAS are:
- AquaTracker – 1 million downloads
- ClickSave Downloader – 1 million downloads
- Scan Hawk – 1 million downloads
- Water Time Tracker – 1 million downloads
- Be More – 1 million downloads
- BeatWatch – 500,000 downloads
- TranslateScan – 100,000 downloads
- Handset Locator – 50,000 downloads.
They are uploaded on Google Play from various developer accounts, each pushing only a few to the store, so as not to risk high disruption in case of takedowns. For similar reasons, each publisher uses a different ads SDK.
The majority of the Vapour apps were published on Google Play between October 2024 and January 2025, with uploads continuing until March.
Malicious functionality.
The malicious Vapour apps disable their Launcher Activity in the AndroidManifest.xml file after installation, rendering them invisible. In certain circumstances, they rename themselves in Settings so that they appear to be real apps (such as Google Voice).
The apps launch without user involvement and employ native code to activate a secondary hidden component while keeping the launcher turned off to keep the icon concealed.
According to Bitdefender, this solution avoids Android 13+ security measures that prevent apps from dynamically stopping their launcher actions while active.
The malware circumvents Android 13+’s ‘SYSTEM_ALERT_WINDOW’ permission constraints and creates a secondary screen that functions as a fullscreen overlay.
Advertising appears on this screen, which is overlaid on top of all other apps, leaving the user with no way out because the ‘back’ button is disabled.
The software also removes itself from ‘Recent Tasks,’ leaving the user unable to discern which app launched the ad they just received.
According to Bitdefender, some apps go beyond ad fraud, displaying phoney login pages for Facebook and YouTube to steal credentials or push users to enter credit card information under false pretences.
Android users should avoid installing unneeded apps from untrustworthy publishers, carefully review granted permissions, and compare the app drawer with the list of installed apps via Settings → Apps → See all apps.
The list of all 331 fraudulent apps posted to Google Play is available here.
If you discover that you have installed any of these apps, uninstall them immediately and perform a full system scan with Google Play Protect (or another mobile antivirus program).
BleepingComputer approached Google for comment on the Vapour campaign, but no statement was forthcoming at the time of writing.
Views: 54
