Massive Malware Attack Hits Google Play Store: Over 300 Apps, 60 Million Downloads Affected
A significant security breach has been uncovered on the Google Play Store, revealing over 300 malicious applications that have collectively been downloaded more than 60 million times. These apps, designed to mimic legitimate tools, were found to be engaging in abusive advertising practices and attempting to steal sensitive user data, including credit card and login credentials.
Discovery and Initial Findings
Researchers from IAS Threat Lab initially identified approximately 180 apps involved in advertising fraud, dubbing the malware “Vapor.” These apps are believed to have been active since 2024. During this time, they generated illicit revenue for attackers by displaying hidden advertisements. As a result, victims’ devices were exploited without their knowledge.
Expanded Investigation and Scope
However, a subsequent investigation by Bitdefender revealed an even larger scale of the operation, pushing the total number of malicious apps to 331. These apps primarily targeted users in Brazil, the United States, Mexico, and South Korea.
Malware Functionality and Tactics
The “Vapor” malware operates by silently displaying ads in the background, making it difficult for users to detect the fraudulent activity. Furthermore, these ads often redirected users to fake websites designed to phish for login and credit card details.
Evasion Techniques
What makes this attack particularly insidious is the apps’ ability to disguise their malicious behaviour. They appeared to function as advertised, often providing useful tools like QR code readers, device optimisers, and system utilities. The apps initially evaded Google’s security checks by disabling their malicious functionalities. During the submission process, they appeared harmless. However, once approved, they activated the hidden threats through subsequent remote updates.
Identified Malicious Apps
Notable app names associated with the malware include AquaTracker, ClickSave Downloader, Scan Hawk, Water Time Tracker, Be More, and BeatWatch. These apps were uploaded to the Play Store from various developer accounts, with the most active period of submissions occurring between October 2024 and January 2025.
Concealment Methods
To further conceal their presence, the malicious apps employed tactics such as changing their names in the Android Settings to mimic legitimate system apps like Google or Google Voice.
Security Implications and Recommendations
This incident highlights the persistent challenge of maintaining security on app marketplaces, even those with robust security measures. While the Google Play Store remains a generally safe platform, users are strongly advised to exercise caution when downloading new apps, especially those from unfamiliar developers. It is also recommended to minimise the number of unnecessary apps installed on devices to reduce the potential attack surface.
