SlopAds used layered obfuscation, digital steganography to deliver malicious modules, debugging and anti-analysis checks, and hidden traffic redirection to disguise activity
NEW YORK, NY — September 16, 2025 — HUMAN Security, Inc., a leading cybersecurity company committed to enabling trusted interactions and transactions across humans, bots, and AI agents, today announced that it has uncovered and disrupted a sophisticated ad fraud and click fraud operation dubbed SlopAds.
The scheme, investigated by HUMAN’s Satori Threat Intelligence and Research Team (Satori®), involves a collection of 224 mobile apps that created hidden WebViews, navigated to threat actor–controlled cashout sites, and clicked on ads to generate fraudulent revenue. SlopAds used layered obfuscation, digital steganography to deliver malicious modules, debugging and anti-analysis checks, and hidden traffic redirection to disguise activity. The apps were downloaded more than 38 million times from Google’s Play Store before removal. At its peak, SlopAds generated 2.3 billion fraudulent bid requests per day across 228 countries and territories.
“SlopAds highlights the evolving sophistication of mobile ad fraud, including stealthy, conditional fraud execution and rapid scaling capabilities,” said Gavin Reid,
CISO at HUMAN. “We fully expect the threat actors behind the scheme to continue to adapt and develop new apps and techniques, and HUMAN will be right here identifying and mitigating future iterations as a result.”
HUMAN monitored anomalous activity, traced it to a vast C2 and promotional network, and shielded customers from financial impact. SlopAds stands out for its novel use of attribution and measurement tools as an obfuscation tactic. Satori identified a threat actor-run ad campaign that promoted the apps, perpetuating the downstream ad and click fraud attacks. HUMAN’s Ad Fraud Defense and Ad Click Defense integrate real-time intelligence uncovered from investigations such as SlopAds to detect and filter out ad fraud pre-bid. Customers leveraging Ad Fraud Defense remain protected from the effects of SlopAds.
“This operation shows new ways threat actors are trying to cover tracks,” said
João Santos, Senior Manager of Threat Intelligence at HUMAN. “The level of obfuscation is quite complex. Threat actors retrieve encrypted configuration with a set of URLs, one for downloading the ad fraud module, URLs for a collection of H5 cashout domains, and another with a JavaScript payload powering the click fraud attack. Only sophisticated technology can catch those types of threats, which makes partnering with a company like HUMAN imperative for early detection and protection of schemes like this.”
As of the publication of the report, Google removed all of the identified apps listed in SlopAds report from Google Play. Google Play Protect automatically protects users from apps known to exhibit SlopAds associated behavior. To learn more about the SlopAds operation, visit the HUMAN blog and read the full technical report. This is an active investigation, and we continue to discover additional findings.
About HUMAN
HUMAN is a leading cybersecurity company committed to protecting the integrity of the digital world. We enable trusted interactions and transactions across the full spectrum of online actors: humans, bots, and AI agents. The Human Defense Platform safeguards the entire customer journey with high-fidelity decision-making that defends against bots, fraud, and digital threats. Each week, HUMAN verifies 20 trillion digital interactions, providing unparalleled telemetry data to enable rapid, effective responses to even the most sophisticated threats. Recognized by our customers as a G2 Leader, HUMAN continues to set the standard in cybersecurity. For more information, please visit www.humansecurity.com.