SlopAds’ Highly Obfuscated Android Malware Scheme Makes a Mess of the Internet Before Satori Cleanup

Fraudsters are being forced to get increasingly sophisticated to get fraud schemes off the ground. The Satori Threat Intelligence and Research Team’s most recent investigation, exposing an ad fraud and click fraud operation dubbed SlopAds, uncovered two standout obfuscation tactics: the abuse of marketing attribution tools and steganographic payload delivery. 

The collection of 224 mobile apps (and growing) creates hidden WebViews, navigates to threat actor–controlled cashout sites, and clicks on ads to generate fraudulent revenue. These apps have been downloaded more than 38 million times across 228 countries and territories from Google’s Play Store. At its peak, SlopAds generated 2.3 billion fraudulent bid requests per day. As of the publication of the report, Google removed all of the identified apps listed in SlopAds report from Google Play. Google Play Protect automatically protects users from apps known to exhibit SlopAds-associated behavior.

Here’s how the threat actors did it—and how Satori disrupted them.

Subverting Marketing Attribution for Conditional Fraud

Attribution platforms usually track the source of app installs, helping brands and agencies understand which campaigns were successful in driving downloads. SlopAds, however, weaponizes attribution in two key ways:

• After download, SlopAds-associated apps query a mobile marketing attribution SDK to determine whether the app was downloaded “non-organically” (i.e., those driven by the user clicking on an ad run by the threat actor, as opposed to an “organic” install, which is the result of a user downloading the app without interacting with the ad campaign)
• The fraud modules load only for installs tagged as resulting from the threat-actor ad campaign, leaving organic installs fraud-free

Satori researchers haven’t seen the abuse of marketing attribution platforms as a determinant for ad fraud before. And that’s concerning for two reasons: first, this tactic creates a more complete feedback loop for the threat actors, triggering fraud only if they have reason to believe the device isn’t being examined by security researchers. And second, it blends malicious traffic into legitimate campaign data, complicating detection.

Steganography as a Covert Delivery Channel

Following on the novel abuse of marketing attribution, SlopAds also made use of steganography to deliver the FatModule payload.

This stage involved the C2 server splitting the FatModule APK into chunks hidden inside ordinary-looking PNG files. These PNG images were fetched post-install, and the fraud payload extracted and reassembled on the device. 

Standard binary or network-based malware scanners remain unlikely to flag innocuous image formats. In addition, steganography evades signature and heuristic engines.

Conclusion and Recommendations

These two unusual tactics, especially when combined with the broad variety of other obfuscation tactics present in SlopAds, underscore the growing sophistication of ad fraud-focused threat actors. 

We’ve come a long way from the days of simple bots in data centers. SlopAds employed layered obfuscation, digital steganography to deliver malicious modules, debugging and anti-analysis checks, and hidden traffic redirection to disguise activity. The extensiveness of its C2 network and promotional domains suggests the SlopAds threat actors were actively preparing for further expansion. Researchers do expect the threat actors to adapt and develop new apps and techniques. 

HUMAN’s proactive threat intelligence and research identified and disrupted SlopAds before it could further expand. Our team monitored anomalous activity, traced it to the C2 and promotional network, and ensured customers remained shielded from financial impact. Customers partnering with HUMAN for Ad Fraud Defense and Ad Click Defense are protected from the effects of SlopAds. Google is actively removing SlopAds-associated apps as they’re published and identified.