Hundreds of Android apps are showing out-of-context ads and trying to persuade users to give away their credentials.
The app network, dubbed Vapor, was first discovered by IAS Threat Labs researchers a few weeks ago. Now, a report by Bitdefender has added more details on how the network operates.
Overall, researchers found 331 fraudulent apps mimicking various utility applications, such as QR scanners, health and fitness trackers, and expense trackers.
Some, like Aqua Tracker and clickSave downloader, were downloaded over a million times from the Play Store, while collective app downloads exceeded 60 million.
The malicious campaign started in the second half of the year and mostly targeted users from Brazil, the US, and Mexico.
“This is an active campaign. The latest malware published in the Google Play Store went live in the first week of March, 2025. When we finished the investigation, a week later, 15 applications were still available for download on Google Play,” researchers at Bitdefender claim.
According to Google, all of the identified apps from the report have been removed from Google Play Store.
Malicious apps hide in settings to avoid detection
Some of the apps do not exhibit malicious behavior prior to installation, allowing them to bypass Google Play scrutiny.
The apps leverage the Android ContentProvider to gain an initial foothold. This component is initialized right after app installation before any user interaction occurs.
After that, a foreground service is started that is used to service intrusive full-screen ads.
According to Bitdefender, malicious apps find ways to hide the icon, a behavior that is no longer allowed in Android 12 and subsequent versions. The malware's developers likely found a bug or are abusing the API.
Some of the apps were observed trying to hide in settings to avoid user removal. In one example, the app changed its name to Google Voice to look like an official one.
Most of the researched apps use dedicated Command and control domains and offer links specific to each package.
“The malware exfiltrates device information using a dictionary-based structure, but the keys in this dictionary are polymorphed and unique to each application. This means the labels used to send data constantly change, making detection and analysis more difficult,” the researchers claim.
Attackers also try to scare users with threats of infected devices in an effort to persuade them to install third-party apps that could contain malware.
According to Bitdefender, the campaign is either the work of one criminal group or multiple cybercriminals using the same packaging tool sold on black markets.
To avoid detection, Vapor operation apps created multiple developer accounts, each hosting only a handful of apps to distribute.
Your email address will not be published. Required fields are markedmarked