by Brendan Silva
Version 1 (April 23, 2025)
Download (24 downloads)
This flowchart contains the list of 331 malicious apps that were recently removed from the Play Store due to a large-scale fraud scheme. If you don't have Google Play Protect, run this flowchart to check if any of the apps are still installed on your device.
─── 𝗧𝗵𝗲 𝗙𝗿𝗮𝘂𝗱 ───
Google has removed 331 malicious Android apps from the Play Store after researchers uncovered a large-scale ad fraud and phishing operation known as the Vapor Operation.
First discovered in early 2024 by IAS Threat Lab and later expanded by cybersecurity firm Bitdefender, the campaign involved apps that collectively had over 60 million downloads. These apps disguised themselves as harmless tools like health trackers, QR scanners, note apps, and wallpaper apps. Some popular ones included AquaTracker, ClickSave Downloader, Scan Hawk, Water Time Tracker, and TranslateScan, with several of them exceeding a million downloads.
The apps were designed to bypass Android 13's security features. They launched themselves in the background without user input, showed intrusive full-screen ads, disabled the back button, and even hid from the recent apps menu. Some went further by pretending to be legitimate apps like Google Voice or showing fake login screens for Facebook and YouTube to steal passwords and credit card information. Many users reported being trapped in ad loops or redirected to phishing pages.
To get approved by Google, the apps initially appeared to be normal and useful. Once installed, they received updates from remote servers that added malicious features. They were uploaded by different developer accounts, each with only a few apps to avoid raising red flags. Most of these apps appeared on the Play Store between October 2024 and March 2025 and primarily targeted users in countries like Brazil, the US, Mexico, Turkey, and South Korea.
Google confirmed that all the identified apps have been removed from the Play Store, although Bitdefender noted that a few were still online during their investigation. The Vapor Operation shows how cybercriminals continue to find new ways to sneak dangerous apps onto official platforms despite strict security measures.
𝗦𝗼𝘂𝗿𝗰𝗲𝘀: Bitdefender and BleepingComputer.
──────
Tags: ad, ads, af2d, android, app, apps, aqua, attack, aurora, awareness, bitdefender, bypass, check, clicksave, credit card, dangerous, detection, downloader, facebook, fake, fraud, fraudulent, google, harmful, hidden, info, information, injection, installed, keylogger, lab, login, malicious, malware, password, phishing, play protect, privacy, qr scanner, remote, removal, remove, report, risks, scam, security, steals, stolen, store, threat, threats, tracker, trojan, uninstall, users, utility, vapor, virus