Researchers have uncovered a widespread campaign involving malicious Android applications that amassed over 60 million downloads from Google Play. These apps were utilized to deliver intrusive advertisements and steal user credentials and banking information.
Dubbed “Vapor” by analysts at IAS Threat Lab, this malicious operation has reportedly been ongoing since early 2024. Initial investigations revealed 180 applications linked to fraudulent schemes, generating as many as 200 million ad requests daily. However, an extensive analysis by Bitdefender later identified a total of 331 malicious apps, highlighting Brazil, the United States, Mexico, Turkey, and South Korea as the regions most severely impacted.
The malicious applications, masquerading as useful utilities—including fitness trackers, planners, battery optimizers, and QR scanners—successfully bypassed Google Play’s security checks by initially omitting harmful code. Post-installation, these apps covertly downloaded malicious payloads from remote command-and-control servers.
According to Bitdefender, these apps concealed their activity by disabling the Launcher Activity within AndroidManifest.xml, rendering themselves invisible to the user interface. In some instances, they mimicked legitimate system services like Google Voice. Once launched, hidden modules were silently activated, persisting unnoticed in the background.
Additionally, the malware circumvented Android 13+ security restrictions by creating full-screen overlays, effectively preventing users from exiting intrusive ads. They also concealed themselves from the recent apps list, making it impossible for users to identify the origin of the pop-ups.
Some of these malicious apps went beyond aggressive ad fraud, creating fake login screens for Facebook and YouTube to harvest user credentials. Furthermore, under various guises, they solicited sensitive banking card information from unsuspecting victims.
Although all identified malicious programs have since been removed from Google Play, experts caution that threat actors may continue the campaign by uploading newer iterations of these apps. Researchers emphasized that the attackers leveraged multiple developer accounts, mitigating the risk of mass removal.
Among the most widely installed infected apps were:
- AquaTracker: 1 million downloads;
- ClickSave Downloader: 1 million downloads;
- Scan Hawk: 1 million downloads;
- Water Time Tracker: 1 million downloads;
- Be More: 1 million downloads;
- BeatWatch: 500,000 downloads;
- TranslateScan: 100,000 downloads;
- Handset Locator: 50,000 downloads.
These applications were initially published between October 2024 and January 2025, with uploads continuing until March.
Security specialists recommend Android users avoid unnecessary apps from unknown developers, carefully monitor requested permissions, and regularly audit their installed applications via “Settings → Apps → All Apps.”
If any of the listed applications are found on a device, immediate removal is strongly advised, followed by a comprehensive system scan using Google Play Protect and reputable antivirus software.
