Recent investigations have revealed several Android fraud campaigns targeting users globally through malicious apps and fake platforms.
One major operation, named IconAds, included 352 Android apps that served hidden ads and concealed their presence on devices. These apps hijacked devices by displaying ads over active apps and hiding icons to prevent easy removal by users.
At its peak, IconAds generated over 1.2 billion ad bid requests daily. The bulk of its traffic came from Brazil, Mexico, and the United States. Researchers link IconAds to similar threats like HiddenAds and Vapor, which have bypassed Google Play’s security since 2019. These apps used obfuscation to hide device data, declared aliases to mask activities, and replaced launcher activity to avoid detection.
In some cases, they pretended to be the Google Play Store, redirecting users while running malicious code in the background. New versions added checks to detect Play Store installation and more layers of code obfuscation. HUMAN researchers expect more of these apps to appear using fresh techniques and names.
Another growing threat is the Kaleidoscope ad fraud campaign, which uses a method known as the “evil twin” attack. Hackers publish a clean version of an app on Google Play while distributing a fake version through third-party stores. The fake app floods users with full-screen ads, stealing advertising revenue while hurting performance. Kaleidoscope evolved from a previous campaign called Konfety, which embedded ad code in apps using the CaramelAds SDK.
The malicious code is now hidden under new names like Adsclub, Leisure, and Raccoon to avoid detection. This fraud model hits users in Latin America, India, Egypt, and Türkiye where unofficial app stores are popular.
One Portuguese company, Saturn Dynamic, helps power the Kaleidoscope network by offering monetization tools for shady developers.
From ads to banking fraud, Android fraud campaigns are getting more advanced and dangerous.
New threats use NFC (Near Field Communication) technology to commit contactless payment fraud with tools like NGate and SuperCard X. Attackers clone payment card data, then use infected phones to make purchases at terminals around the world.
Another tactic, called Ghost Tap, registers stolen card data into Google Pay or Apple Pay for global payment fraud. ESET warns that these fake transactions look legitimate and easily bypass security measures at checkout.
In Uzbekistan, nearly 100,000 devices were infected with an SMS-stealing malware called Qwizzserial. The malware stole banking info and intercepted two-factor codes via Telegram bots, causing at least $62,000 in losses. Attackers spread this malware by mimicking official banking apps and government services on Telegram. Once installed, Qwizzserial grabs bank account details, SMS codes, and sends them to hackers via HTTP requests. The malware also asks users to turn off battery optimization, ensuring it stays active in the background.
Fake wedding invites and hacked TikTok clones have also been used to spread spyware like SpyMax RAT and SparkKitty. These fake apps, hosted on phony websites, steal images and personal data from Android and iOS users.
SparkKitty uses optical character recognition (OCR) to scan images for crypto wallet seed phrases and other sensitive info. Kaspersky researchers traced SparkKitty’s activities to Southeast Asia and China, with infections active since early 2024. The malware bypasses Apple’s App Store by exploiting developer certificates to install spyware on iPhones. These Android fraud campaigns highlight the growing danger of unofficial apps and malicious third-party stores. Users should only install apps from trusted sources and review permissions carefully before granting access.
