Over 300 malicious Android applications downloaded 60 million items from Google Play acted as adware or attempted to steal credentials and credit card information.

The operation was first uncovered by IAS Threat Lab, who categorized the malicious activity under the name “Vapor” and said it has been ongoing since early 2024.

IAS identified 180 apps as part of the Vapor campaign, generating 200 million fraudulent advertising bid requests daily to engage in large-scale ad fraud.

A newly published report by Bitdefender increased the number of malicious apps to 331, reporting many infections in Brazil, the United States, Mexico, Turkey, and South Korea.

“The apps display out-of-context ads and even try to persuade victims to give away credentials and credit card information in phishing attacks,” warns Bitdefender.

Although all of these apps have since been removed from Google Play, there’s a significant risk that Vapor will return through new apps as the threat actors have already demonstrated the ability to bypass Google’s review process.

Vapor apps on Google Play

The apps used in the Vapor campaign are utilities offering specialized functionality like health and fitness tracking, note-taking tools and diaries, battery optimizers, and QR code scanners.

The apps pass Google’s security reviews because they include the promoted functionality and do not contain malicious components at the time of submission. Instead, the malware functionality is downloaded post-installation via updates delivered from a command and control (C2) server.

Some notable cases highlighted by Bitdefender and IAS are:

• AquaTracker – 1 million downloads
• ClickSave Downloader – 1 million downloads
• Scan Hawk – 1 million downloads
• Water Time Tracker – 1 million downloads
• Be More – 1 million downloads
• BeatWatch – 500,000 downloads
• TranslateScan – 100,000 downloads
• Handset Locator – 50,000 downloads.

They are uploaded on Google Play from various developer accounts, each pushing only a few to the store, so as not to risk high disruption in case of takedowns. For similar reasons, each publisher uses a different ads SDK.

Most of the Vapor apps were published on Google Play between October 2024 and January 2025, though uploads continued until March.​

Malicious functionality

The malicious Vapor apps turn off their Launcher Activity in the AndroidManifest.xml file after installation, making them invisible. In some cases, they rename themselves in Settings to appear as legitimate apps (e.g., Google Voice).

The apps launch without user interaction and use native code to enable a secondary hidden component while keeping the launcher disabled to keep the icon hidden.

Bitdefender comments that this method bypasses Android 13+ security protections that prevent apps from dynamically disabling their own launcher activities once they are active.

The malware also bypasses the ‘SYSTEM_ALERT_WINDOW’ permission restrictions on Android 13+ and creates a secondary screen that acts as a fullscreen overlay.

The ads are displayed on this screen, which is overlayed on top of all other apps, leaving the user with no way to exit as the ‘back’ button is disabled.

The app also removes itself from ‘Recent Tasks,’ so the user cannot determine which app launched the ad they just got.

Bitdefender reports that some apps go beyond ad fraud, displaying fake login screens for Facebook and YouTube to steal credentials or prompt users to enter credit card information under various pretenses.

It is generally recommended that Android users avoid installing unnecessary apps from non-reputable publishers, scrutinize granted permissions, and compare the app drawer with the list of installed apps from Settings → Apps → See all apps.

The complete list ofof all 331 malicious apps uploaded on Google Play is available here.

If you discover that you have installed any of those apps, remove them immediately and run a complete system scan with Google Play Protect (or other mobile AV products).

BleepingComputer has contacted Google for a comment on the Vapor campaign, but a statement wasn’t available by the time of publication.