Researchers at HUMAN’s Satori Threat Intelligence and Research Team have uncovered “SlopAds,” a large-scale ad and click fraud operation leveraging 224 Android applications downloaded more than 38 million times across 228 countries and territories to deploy fraud modules and siphon ad revenue at scale stealthily.
SlopAds distinguishes itself through a multi-layered obfuscation strategy that activates only on installs originating from threat actor–run ad campaigns, significantly reducing the footprint left for forensic analysis.
Upon non-organic installation, each SlopAds app connects to Firebase Remote Config to retrieve an encrypted configuration. This configuration includes URLs for four PNG images that contain fragments of an APK hidden via digital steganography.
When reassembled on the device, these images reconstruct FatModule, the core fraud component. Before reconstruction, the app employs a mobile marketing attribution check that abuses legitimate attribution tags to confirm that the install resulted from a tracked ad click.
Only then does FatModule download commence, ensuring organically installed instances exhibit benign behavior and divert analysis.
Advanced Evasion and Fraud Mechanisms Drive 2.3 Billion Daily Bid Requests
Once FatModule is in place, SlopAds implements robust anti-analysis measures. The module aborts execution if it detects debugging tools, emulated environments, or rooted devices.
All strings within the app and FatModule itself remain encrypted, and native Java code is packed to conceal functionality at first glance. These counter-reverse-engineering tactics significantly hinder sandboxing and static analysis efforts.
Following these checks, SlopAds apps launch hidden WebViews to collect device fingerprinting data, user-agent strings, browser attributes, and rooting indicators, which the C2 server uses to select high-value targets.
Validated devices then receive instructions to navigate multiple threat actor–owned H5 cash-out domains. Each domain redirects several times to sanitize referrer headers and disguise the traffic’s origin.
Within hidden WebViews, the domains host game or news sites programmed to display viewable ads and execute automated clicks at precise coordinates and timings. This mimics legitimate user engagement, achieving high fill and click-through rates.
At its peak, SlopAds generated approximately 2.3 billion bid requests per day, with traffic concentrated in the United States (30%), India (10%), and Brazil (7%).
Extensive C2 infrastructure and over 300 promotional domains funnel users to SlopAds apps, underscoring the threat actors’ capacity to scale.
Google Play Protect automatically warns users and blocks known SlopAds apps at install time, and Google has removed all identified packages from the Play Store. However, off-market installations remain vulnerable until users manually uninstall impacted apps.
Customers leveraging HUMAN’s Ad Fraud Defense and Ad Click Defense solutions are fully protected against SlopAds’ sophisticated tactics. Satori researchers continue to monitor newly staged apps and evolving fraud modules to preempt adversary adaptations and safeguard the digital advertising ecosystem.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
.webp?resize=1068,580&ssl=1&description=Malicious Android Apps - Researchers at HUMAN’s Satori Threat Intelligence and Research Team have uncovered “SlopAds,” a large-scale ad.){kind=link}