Security researchers, a company Bitdefinder, who specializes in cyber security, has demolished large -scale advertising fraud and phishing expeditions on Google Play Store, including 331 malicious apps. Dubbed vapor operation, this fraud campaign managed to bypass security facilities in Android 13 and collectively download more than 60 million downloads. The campaign was first discovered by the IAS Threat Lab in early 2024, which initially linked 180 apps with operation.

According to the researchers, malicious apps manifests as harmless devices, but secretly bomb users with infiltration advertisements, theft credibility, and even cut card details. In a statement by Bleepingcomputer, Google confirmed that “all identified apps of this report have been removed from Google Play.” However, Bitdefnder noted in his report that 15 apps were still available until the research was completed.

What is a vapor operation?

The vapor campaign run by cyber criminals is active from the beginning of 2024. It initially began as an advertising fraud scheme. The IAS Threat Lab originally stated that the campaign consisted of 180 apps that generated 200 million fraudulant advertising requests daily. These apps were designed to dry the budget of advertisers through fake click.

In its latest report, Bitdefnder noted that in malicious operation, there are now 331 apps in categories such as health trackers, QR scanners, note taking equipment and battery optimizer.

Some of these cheated apps include:

Aquatracker, clicksave downloader, and scan haw, with each 1 million downloads.

Translator and Beatwatch, which have 100,000 and 500,000 downloads.

Allegedly, these apps were uploaded to Google Play between October 2024 and March 2025, mainly users in Brazil, America, Mexico, Turkey and South Korea.

How the attack was detected

While malware attacks are reported from time to time, the vapor operation was particularly related as it managed to avoid Google’s safety measures for Android.

According to the report, the apps bypassed the Android Security Check by acting as an advertisement app at the time of submission. The malicious code was later distributed through the update from the command-end-control (C2) server.

After their installation, apps disable their launcher activities in Androidmanifest.xml file, removed their icon from the home screen – a strategy restricted in Android 13 and subsequent versions. Some changed their names in device settings to imitate reliable apps such as Google Voice.

Once the apps controlled the system, they misused Android’s contact material provider system to launch without user interactions, bypassing Android 13 restrictions.

Apps then issued full-screen advertisements, kidnaping devices through a virtual secondary screen, disabled back buttons and hide from the “recent task” menu. Some apps also increased for fishing, displaying fake login pages for Facebook, YouTube and payment portal. This is a problem that users in India have often faced, especially users who are not very technical intelligent.

While many app advertisements focused on fraud, others targeted the sensitive information of the victims. Many affected users reported to be trapped in the ends of advertisements that would not close or advertise advertisements to explain the fishing pages. In one case, the apps falsely claimed that the equipment to pressurize users in downloading additional malware was “infected”.

How to be safe

Although Google has removed most of these malware-infected apps, it is still important to take safety precautions while downloading the apps from the Play Store and when browsing the Internet. Here are some things:

Avoid unnecessary apps: Always download the app from famous developers and check the permissions asked by the app.

Check installed apps: Compare your app drawer with Settings> Apps>> Watch all apps to spot Hidden Malware.

Use safety equipment: Enable security equipment such as Google Play Protect, which examines your apps and equipment for harmful behavior. It also runs a security check on the apps from Google Play Store before downloading.

Update regularly: Ensure that your Android OS and apps are updated to patches weaknesses.