Cyber Blog

A massive ad-fraud operation called SlopAds was found operating through 224 Android apps, which together were downloaded 38 million times across 228 countries and territories. The apps inflated ad impressions and clicks using hidden techniques, sending about 2.3 billion bid requests every day at its peak.

The apps carried out this fraud in a stealthy way: when a user installed an app after clicking on an ad (i.e. non-organically), the app reached out to a command-and-control server and downloaded a module known as “FatModule.” If the app was installed organically, it behaved normally without showing fraudulent behavior.

The mechanism of the fraud involved hiding WebViews (browser-like components) behind the scenes, which navigated to sites owned by the fraud operators and generated ad clicks or impressions without the user seeing them. The FatModule was delivered through PNG image files that concealed the APK; it was then decrypted so it could gather device and browser details and commit the fraud.

Traffic came mostly from users in the United States (around 30%), India (10%), and Brazil (7%). In response, Google removed all of the offending apps from the Play Store, effectively disrupting the SlopAds operation.

Researchers noted the increasing sophistication of mobile ad fraud due to campaigns like SlopAds: they trigger fraudulent behavior only under certain conditions (such as after an ad click), use multiple layers of obfuscation, and blend malicious traffic with legitimate campaign data to make detection harder.