Google: As part of a bigger fraud campaign known as the Vapor Operation, researchers from the security company Bitdefender found 331 fake apps on the Google Play Store.
Bitdefender researchers found 331 fake apps on the Google Play Store that were a part of the Vapor Operation, a broader fraud scheme. These applications were using phishing and ad fraud to gain users’ personal information. The startling fact is that these apps passed Android 13’s security and were downloaded over 60 million times.
These dangerous applications are no longer available in Google’s Play Store. But by the end of the study, 15 apps were accessible, according to Bitdefender’s findings. Cybercriminals undertake a fraud scheme called Vapor Operation. It started out with 180 apps that were producing 200 million fake ad requests daily.
This number has now increased to 331 apps, including categories like battery optimizers, notes apps, health trackers, and QR scanners. These apps, which have been downloaded over a million times, include AquaTracker, ClickSave Downloader, and Scan Hawk.
The BeatWatch and TranslateScan applications, which have between one and five lakh downloads, are also listed at the same time. The Google Play Store received these apps between October 2024 and March 2025.
The nations with the highest download counts for these apps were South Korea, America, Mexico, Brazil, and Turkey. They became a serious threat to consumers with less technical expertise in nations like India as well.
At first, these apps just functioned as ad-displaying apps. Following that, updates from the command-and-control (C2) server transmitted malicious code. These apps concealed themselves by making their symbol vanish from the home screen after installation.
Some apps rebranded themselves to appear more reputable, such as Google Voice. These programs would activate automatically after installation. They would display full-screen advertisements while hanging up. By fabricating phony login pages, they attempted to steal data from Facebook, YouTube, and payment gateways.
False notifications stating that “your phone is afflicted with a virus” were flashed by certain apps in an attempt to trick users into downloading further malware. Numerous customers expressed concern over being caught in an ad loop when clicking on any button would take them to a fraudulent website. Many apps were created with the intention of stealing users’ passwords and financial information.
