An advert fraud scheme, dubbed IconAds, that served out-of-context cell advertisements has led Google to drag 352 apps from its Play Retailer.
The operation, uncovered by cybersecurity agency HUMAN, was designed to generate income by spoofed advert impressions. Customers obtain Android apps—which pose as generic instruments like flashlights, file scanners, and photograph apps—that disguise their icons on consumer screens to impede detection. They then show advertisements on customers’ screens, even when the apps in query should not in use.
At its peak, the apps generated round 1.2 billion advert bid requests per day. Visitors generated by IconAds primarily originated from Brazil, Mexico, and the U.S.
“It is a very uninvestigated, unseen aspect of the web the place fraudsters are making tens of millions of {dollars}, and there should not lots of people which might be paying consideration or truly mitigating,” mentioned Gavin Reid, HUMAN’s chief data safety officer.
4 months in the past, the same Android advert fraud scheme was uncovered by advert verification agency Integral Advert Science, main Google to take away greater than 180 apps from the Play Retailer.
Google declined ADWEEK’s request for remark.
“The dangerous actors make their apps seem like different apps so that folks set up them,” defined Reid. “They don’t need to have tens of millions of installs of that exact app, as a result of new ones are coming subsequent week, and those which might be there keep there perpetually.”
In some examples, impacted apps appeared on customers’ residence screens as white circles with no title. When a consumer clicked the white circle, nothing occurred. The apps then deploy hidden ad-serving code, serving interstitial advertisements on the consumer’s display, no matter whether or not the app is in use or not.
In one other occasion, an app mimicked the Google Play Retailer brand. When a consumer clicked, the app redirected the consumer to the true Google Play Retailer—solely to work secretly within the background to serve out-of-context advertisements.
“At first, once we discovered this risk, the icon of the app would simply be hidden,” mentioned João Santos, senior supervisor of risk intelligence at HUMAN. “Now it’s extra widespread to seek out apps on this risk the place they only substitute the icon with Gmail, Google Maps, or one thing like that. So you put in an software for ‘Wallpapers 2025,’ however while you go to your app drawer, you solely see Google Dwelling or Google Maps.”
Not solely did the apps obscure their show icons to discourage detection, they employed quite a lot of different “very thorough” obfuscation techniques from the app show to the server, Santos mentioned.
In some instances, the apps encrypted key information inside hard-to-find components of their native code. They ceaselessly used deceptive file names and metadata, and sometimes tried to cover particulars like working system model, machine mannequin, and language when connecting to networks by utilizing random English phrases of their code.
An analogous tactic was used for naming the apps’ domains, too.
“If in case you have a wallpaper app, it is going to be one thing like ‘bag.wallpaperapp.com,’ and all of the requests are going to that server,” defined Santos. “All of the parameters—as an illustration, your machine mannequin, the Android model—as an alternative of being referred to as ‘Android model,’ they are going to be referred to as ‘desk,’ or ‘pen.’ It will likely be distinctive for every software, which additionally makes it arduous to detect these on the community degree.”
In some cases, the apps functioned as anticipated, after which later deployed an replace that launched a again door to serve out-of-context advertisements.
Contaminated apps had been additionally related to quite a lot of shell writer corporations.
“They’d launch 20 functions within the Play Retailer, and so they’d all be related to one writer,” mentioned Santos. “Then, so long as these functions had been being eliminated and detected from the Play Retailer, they might create one other writer—one other pretend entity,” defined Santos.
Apps concerned within the IconAds scheme had been in a position to preserve monetizing as a result of customers usually didn’t know how you can delete them or selected not to take action.
HUMAN has been monitoring this type of fraudulent habits since 2023, however earlier this yr noticed exercise spiked and techniques grew extra refined, spurring deeper analysis.
After being alerted concerning the fraudulent operation, Google pulled the entire detected apps from the Play Retailer.
Google’s Play Shield system, which runs by default, can notify customers or block particular apps that show malicious habits on Android units.
When requested concerning the effectiveness of Google Play Shield, Reid mentioned: “Any sort of fraud safety must be tuned and up to date with the newest methods, and that’s the place we assist Google.”
