Security researchers have uncovered a massive mobile ad fraud scheme involving 224 apps on the Google Play Store, collectively downloaded more than 38 million times worldwide.

Dubbed SlopAds, the operation covertly generated fake ad views and clicks in the background, siphoning advertising revenue without delivering genuine engagement to brands.

The scheme was exposed by HUMAN’s Satori Threat Intelligence team, which has since reported the fraudulent apps to Google.

In response, Google took down all the fraudulent apps and activated Play Protect, its built-in defense system that alerts users and guides them to uninstall harmful software.

Researchers revealed that SlopAds concealed its fraud techniques through steganography—the practice of hiding code within images—and WebViews, lightweight in-app browsers that enabled the scheme to run undetected.

These techniques let the apps open hidden windows, access cashout sites run by the fraudsters, and generate fake ad impressions.

At its height, SlopAds was responsible for an astonishing 2.3 billion bid requests per day, underlining the massive potential cost to advertisers worldwide.

The scheme was also carefully designed to avoid detection.

Only apps downloaded via a SlopAds-controlled ad were activated to commit fraud, while all others remained dormant. Researchers called this a “novel abuse of marketing attribution technology,” highlighting just how sophisticated ad fraud has become.

“All users who have these identified apps installed on their device will receive a warning and will be prompted to uninstall them. Play Protect is on by default on Android devices with Google Play Services,” the report reads.

SlopAds’ fraudulent ad traffic reached 228 countries and territories, with the largest shares coming from the United States (31%), India (11%), and Brazil (7%).

Many of the apps, as well as the domains and servers used in the operation, featured an AI-related theme, which inspired the name SlopAds.

The apps also harvested extensive device and browser data, enabling the fraudsters to optimize their operations for maximum impact.

Encrypted instructions, delivered through Google’s Firebase platform, guided the apps to fraud modules, cashout sites, and scripts needed to generate revenue. In some cases, even the fraud management module was concealed within PNG images, later reconstructed on users’ devices into executable code.

A key cash-out method involved HTML5 (H5) games and news sites owned by the fraudsters. These sites served ads at high frequency, but because they ran in hidden WebViews, users never saw them—yet advertisers still paid for impressions and clicks that reached no real audience.

This is not the first instance of fraudsters using apps on the Google Play Store to deceive or attack users.

In October last year, Zscaler’s ThreatLabz team uncovered over 200 malicious apps on the Play Store, collectively downloaded nearly eight million times.

The report also highlighted that Nigeria ranks among the top 10 countries most targeted by these mobile malware campaigns.