Vapor Apps on Google Play: 60 Million Android Users at Risk from Malicious Downloads

 



Over 300 Malicious Android Apps Installed 60 Million Times in 'Vapor' Campaign

A large-scale malware operation, dubbed "Vapor," has infiltrated Google Play, with over 300 malicious apps being downloaded 60 million times. These apps acted as adware, committed large-scale ad fraud, and attempted to steal user credentials and credit card information.


Discovery of the Vapor Campaign

The attack was first uncovered by IAS Threat Lab, which identified the ongoing operation since early 2024. Initially, 180 apps were identified, generating 200 million fraudulent ad bid requests daily. However, a later report from Bitdefender expanded the scope of the campaign, revealing 331 malicious apps targeting users in Brazil, the United States, Mexico, Turkey, and South Korea.

Bitdefender warns that these apps engage in out-of-context advertising, phishing scams, and unauthorized financial data collection. Although Google has removed the identified apps from the Play Store, the attackers have already demonstrated the ability to bypass security reviews, posing an ongoing threat.

How Vapor Apps Evade Google Play’s Security

The malicious apps, disguised as utility tools, successfully passed Google's security checks by initially offering legitimate functionality. Categories of these apps included:

  • Health and fitness trackers

  • Note-taking tools

  • Battery optimizers

  • QR code scanners

Rather than embedding malware in the initial app submission, attackers delivered malicious updates post-installation via command-and-control (C2) servers. This method allowed them to remain undetected during Google's review process.

Notable Malicious Apps Identified

Several high-download apps have been identified as part of the Vapor campaign, including:

  • AquaTracker – 1 million downloads

  • ClickSave Downloader – 1 million downloads

  • Scan Hawk – 1 million downloads

  • Water Time Tracker – 1 million downloads

  • Be More – 1 million downloads

  • BeatWatch – 500,000 downloads

  • TranslateScan – 100,000 downloads

  • Handset Locator – 50,000 downloads

These apps were uploaded under different developer accounts to minimize detection and disruption in case of takedowns. Additionally, each publisher used distinct ad SDKs to further evade security measures.

How the Malware Works

The Vapor apps employed several advanced evasion techniques:

  • Hiding App Icons: The apps disabled their launcher activity after installation, making them invisible in the app drawer. Some even renamed themselves in Settings to appear as legitimate Google apps like "Google Voice."

  • Auto-Launching Without User Interaction: The malware activated itself using native code to enable hidden components while keeping the main app launcher disabled.

  • Bypassing Android 13+ Security: The apps used techniques to circumvent security measures that prevent apps from dynamically disabling their launcher activities.

  • Fullscreen Overlay Attacks: Some apps displayed persistent, fullscreen ads that overlaid other apps, making it impossible for users to exit using the back button.

  • Credential and Financial Theft: A subset of the apps displayed fake login screens for platforms like Facebook and YouTube, tricking users into entering their credentials or credit card details.

Protecting Your Device from Malicious Apps

To safeguard against similar threats, Android users should:

  • Avoid installing unnecessary apps, especially from unknown developers.

  • Carefully review app permissions and be wary of excessive requests.

  • Regularly check the list of installed apps in Settings → Apps → See all apps.

  • Use Google Play Protect or a reputable mobile security solution to scan for malware.

Google’s Response

In response to the Vapor campaign, Google has removed all identified apps from the Play Store. A Google spokesperson stated:

"All of the identified apps from this report have been removed from Google Play. Android users are also automatically protected by Google Play Protect, which is on by default on Android devices with Google Play Services."

Despite this, the threat remains, as attackers continue to find ways to bypass security measures. Users should stay vigilant and take proactive measures to protect their devices and personal data.

No comments:

Russian Hackers Leverage CVE-2025-26633 and MSC EvilTwin to Deploy SilentPrism and DarkWisp Malware

  Russian Hackers Exploit CVE-2025-26633 via MSC EvilTwin to Deploy SilentPrism and DarkWisp A suspected Russian hacking group known as Wate...