A sophisticated mobile ad fraud operation, known as SlopAds, recently penetrated the Google Play Store with 224 malicious applications, collectively garnering over 38 million downloads across 228 countries and territories. The operation employed advanced techniques such as steganography and multi-layered obfuscation to deliver fraudulent advertising payloads while skillfully evading detection.
Conditional Fraud Activation
The SlopAds campaign utilized a conditional fraud system, activating its malicious payloads only when users installed apps through specific advertising channels rather than organic visits to the Play Store. This tactic allowed the apps to maintain a guise of legitimacy, staying on the platform longer despite their fraudulent nature. According to Human Security analysts, the operation orchestrated approximately 2.3 billion fraudulent bid requests daily at its peak, with significant traffic from the United States, India, and Brazil.
Exploiting Development Services
The fraudulent apps took advantage of legitimate development services, notably Firebase Remote Config, to retrieve encrypted configuration data. This data contained URLs pointing to the download of the primary fraud module, termed 'FatModule'. The delivery of these payloads relied on digital steganography, where command-and-control servers dispatched specially crafted PNG files embedded within encrypted ZIP archives. Upon decryption and reassembly, these images revealed APK components forming the complete FatModule.
Advanced Anti-Analysis Techniques
FatModule was designed with multiple anti-analysis measures to thwart detection and examination. These techniques included recognition of debugging and hooking frameworks (searching for terms like 'hook', 'Xposed', and 'Frida'), string encryption, and packed native code, all aimed at inhibiting both static and dynamic analysis. Fraud execution occurred within concealed WebViews, which meticulously collected device fingerprinting data, such as hardware specifications and GPU details, to enable accurate targeting of fraudulent activities. These hidden interfaces then directed to attacker-owned cashout domains, seamlessly generating fraudulent ad impressions and clicks without user knowledge.
In response to these malicious activities, Google has removed the identified SlopAds applications from its Play Store. To further safeguard its users, Google Play Protect automatically warns against and blocks the installation of known malicious apps, inclusive of those involved in this campaign.
