A recent report from cybersecurity firm Bitdefender reveals that hundreds of “malicious” Android apps, part of a large-scale ad fraud campaign called “Vapor”, have been installed millions of times, impacting users worldwide.

These apps often appear as harmless utilities like QR code scanners, battery optimizers, and fitness trackers. However, once installed, they engage in harmful behaviors such as displaying intrusive ads in an attempt to steal sensitive information through phishing attacks.

Bitdefender highlighted that these apps could show ads even when users aren’t actively using the app, continuing to run in the background. Some also mimic legitimate login screens to trick users into entering sensitive data.

“The apps display out-of-context ads and even try to persuade victims to give away credentials and credit card information in phishing attacks,” Bitdefender’s Security Analyst, Silviu Stahie, warned.

Despite Android 13’s security measures, these apps managed to activate without user interaction — a technically impossible feat on this version of Android. Although the apps have mostly been removed from the Google Play Store, there’s still a risk that the attackers behind the campaign could return.

The malware bypassed Google’s app review process and Android’s security features. Of the 331 apps involved, 10 remain active and have received updates, showing ongoing efforts to evade detection. In March 2025, new malware linked to the campaign was found on the Play Store.

Some of these apps initially launched without malicious code but were later updated with harmful features. Researchers believe the attackers have refined their tactics, with some apps even hiding their icons to avoid detection. These apps remain especially dangerous on newer Android versions by bypassing app launchers and concealing their activity.

The creators of this malware use various tactics to hide their apps, including exploiting Android’s Leanback Launcher (usually for Android TV) and blocking users from exiting by disabling the “back” button.

Though Google has removed many of the apps, the campaign is ongoing. “Google has removed many of the apps, and we can easily conclude that the attackers are trying to modify their malware in their efforts to stay ahead of the detection systems,” added Stahie.

Experts recommend avoiding apps from untrustworthy publishers and regularly scanning devices for harmful software. Enabling Google Play Protect or using third-party antivirus software can help prevent such attacks.