Scammers are using Play Store apps to serve ads that nobody can escape

Most went live in September, and all share a similar code library meant to help avoid detection.
Google Play Store
A Google Play Store advertisement in New York's Times Square. (Getty Images)

A sneaky network of more than 100 Android applications is allowing fraudsters to make money by pushing pervasive advertisements to users’ devices, according to new cybersecurity findings.

The device owners aren’t the real victims, even though they’re being exploited.  The constant stream of ads, some miniscule and others loud and inescapable, are leveraging victims’ phones as conduits for scammers to rip off companies’ marketing dollars.

More than 100 applications with some 4.6 million downloads from the Google Play Store include malicious code that enables the bogus advertising network, according to research published Thursday by the bot detection firm White Ops.

Android subscribers who downloaded these apps, some of which still existed on the Play Store at press time, believed they were installing programs that would predict their fortune, play games, take selfies or remove bugs. But the apps also abused their access to inundate the devices with advertisements that could be tracked but often couldn’t be seen.


Most of the apps first appeared in the Play Store in mid-September and, while duplicitous apps are all too common, these findings are the latest evidence ad fraud campaigners are investing in new ways to maintain access on affected devices.

“The code has aggressive persistence mechanisms,” said Inna Vasilyeva, a threat intelligence analyst at White Ops. “Once we started looking into one application, we could see that it was related to what a lot of other apps were doing.”

This malicious activity was made possible by two code libraries, which White Ops dubbed Soraka and Sogo. The apps also use AppsFlyer, a framework for mobile attribution and marketing analytics. It’s a combination that enables the apps to remove a background notification service meant to prohibit fraud activity when a phone is powered down, and schedule ads to start appearing seconds after those anti-fraud measures are disabled.

The paychecks available to ad fraud scammers are large enough to encourage the research and development of new malware and evasion techniques, which then can be repurposed to carry out more traditional forms of cybercrime. U.S. prosecutors accused one fraud ring of stealing roughly $30 million over a span of years, in part by commandeering a network of 1.7 million hacked computers.

In this case, White Ops researchers cited Best Fortune Explorer, an app still lurking on the Play Store at press time, as one of the most nefarious. The game promises to predict user’s future, such as when they will meet their true love and if they will be promoted at work. In fact, based on White Ops’ code analysis, the app sends a nonstop stream of ads that many of the thousands of negative reviewers compared to a virus.


A representative from Google’s Play Store acknowledged questions about White Ops’ findings to CyberScoop before press time.

The app, which has 170,000 downloads, was published on Sept. 9 and shares many characteristics with the larger Soraka network, White Ops determined.

Researchers from throughout the security community in recent months have tightened their focus on mobile apps that promise one thing only to do something very different. Google removed more than 100 adware-laced apps from the Play Store in response to findings from Trend Micro, while Wandera also has uncovered gaming apps capable of stealing users’ credentials.

Jeff Stone

Written by Jeff Stone

Jeff Stone is the editor-in-chief of CyberScoop, with a special interest in cybercrime, disinformation and the U.S. justice system. He previously worked as an editor at the Wall Street Journal, and covered technology policy for sites including the Christian Science Monitor and the International Business Times.

Latest Podcasts