Image by Pathum Danthanarayana, from Unsplash
Massive Mobile Ad Fraud Campaign Hidden In Google Play Apps
Reading time: 2 min
Last Updated: Jul 5, 2025
-
![Kiara Fabbri]()
-
![Sarah Frazier]()
Fact-Checked by Sarah Frazier Content Manager
Cybersecurity researchers discovered 352 hidden Android apps operating as stealthy ad fraud tools, which produced 1.2 billion fake ad bids daily before they shut down the operation.
In a rush? Here are the quick facts:
- conAds campaign used 352 malicious Android apps.
- Fraud scheme generated 1.2 billion daily ad bid requests.
- Apps hid icons and ran in background.
HUMAN’s Satori Threat Intelligence team successfully disrupted the complex ad fraud operation known as IconAds.
The operation involved 352 Android applications, which secretly loaded ads while concealing their icons from user detection. The daily operation of IconAds reached its peak at 1.2 billion ad bid requests, which primarily originated from Brazil, Mexico, and the United States.
The apps used advanced obfuscation tactics to avoid detection. “IconAds’ primary obfuscation technique uses seemingly random English words to hide certain values,” explained Satori researchers.
The attackers also embedded harmful code within encrypted libraries while employing distinctive command-and-control (C2) domains for each application to conceal their traffic.
The application ‘‘com.works.amazing.colour’’ changed its icon to a blank white circle and loaded ads even when no app was open. Others impersonated popular apps like Google Play or Google Home, running silently in the background while serving fraudulent ads.
To hide their activities, these apps disabled their visible components after installation and used aliases with no name or icon. In some cases, they included license checks to confirm they were downloaded from the Play Store, refusing to run otherwise. They also used DeepLinking services to decide when to activate the malicious code.
The identified apps received removal from Google Play, and Google Play Protect provides users with protection against these threats.
According to HUMAN, “Customers partnering with HUMAN for Ad Fraud Defense are and have been protected from the impact of IconAds.”
The attack demonstrates how mobile ad fraud operations are becoming more sophisticated, so experts recommend that advertisers, platform developers, and app developers enhance their monitoring systems, improve transparency, and work together to prevent upcoming threats.
Previous Story
Latest articles 
