Although all of these apps have since been removed from Google Play, there's a significant risk that Vapor will return through new apps as the threat actors have already demonstrated the ability to bypass Google's review process. Bitdefender reports that some apps go beyond ad fraud, displaying fake login screens for Facebook and YouTube to steal credentials or prompt users to enter credit card information under various pretenses. Over 300 malicious Android applications downloaded 60 million items from Google Play acted as adware or attempted to steal credentials and credit card information. The apps pass Google's security reviews because they include the promoted functionality and do not contain malicious components at the time of submission. The complete list ofof all 331 malicious apps uploaded on Google Play is available here. If you discover that you have installed any of those apps, remove them immediately and run a complete system scan with Google Play Protect (or other mobile AV products). The apps used in the Vapor campaign are utilities offering specialized functionality like health and fitness tracking, note-taking tools and diaries, battery optimizers, and QR code scanners. It is generally recommended that Android users avoid installing unnecessary apps from non-reputable publishers, scrutinize granted permissions, and compare the app drawer with the list of installed apps from Settings → Apps → See all apps. A newly published report by Bitdefender increased the number of malicious apps to 331, reporting many infections in Brazil, the United States, Mexico, Turkey, and South Korea. "The apps display out-of-context ads and even try to persuade victims to give away credentials and credit card information in phishing attacks," warns Bitdefender. The malicious Vapor apps turn off their Launcher Activity in the AndroidManifest.xml file after installation, making them invisible. Bitdefender comments that this method bypasses Android 13+ security protections that prevent apps from dynamically disabling their own launcher activities once they are active. The apps launch without user interaction and use native code to enable a secondary hidden component while keeping the launcher disabled to keep the icon hidden. IAS identified 180 apps as part of the Vapor campaign, generating 200 million fraudulent advertising bid requests daily to engage in large-scale ad fraud. In some cases, they rename themselves in Settings to appear as legitimate apps (e.g., Google Voice). The ads are displayed on this screen, which is overlayed on top of all other apps, leaving the user with no way to exit as the 'back' button is disabled. They are uploaded on Google Play from various developer accounts, each pushing only a few to the store, so as not to risk high disruption in case of takedowns. BleepingComputer has contacted Google for a comment on the Vapor campaign, but a statement wasn't available by the time of publication. The operation was first uncovered by IAS Threat Lab, who categorized the malicious activity under the name "Vapor" and said it has been ongoing since early 2024. Bill Toulas Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Tue, 18 Mar 2025 17:55:13 +0000