The SlopAds Operation: A New Level of Ad Fraud

A sprawling advertising-fraud operation known as SlopAds hid behind a storefront of hundreds of seemingly innocuous Android apps and ballooned into a global enterprise. Researchers at Satori (HUMAN) recently described how 224 programs amassed a total of 38 million installs across 228 countries and territories and, at peak, generated as many as 2.3 billion ad-auction bid requests per day. Google has removed the discovered apps from Play, but the tactic itself merits close scrutiny—it starkly illustrates how sophisticated click- and impression-fraud schemes have become.

The operation hinges on conditional activation of malicious behavior. After installation each app queries a mobile-marketing attribution SDK to determine the install source—whether organic from Play or the result of an ad click. Fraudulent behaviors are triggered only in the latter case: the app fetches a component called FatModule from a command-and-control server, whereas when the install appears “clean” the app behaves exactly as its Play Store listing promises. This filter provides operators with convenient feedback and lowers the chance of detection—fraudulent traffic is drowned among legitimate campaigns and is less likely to be seen by analysts.

FatModule delivery is nontrivial. The app retrieves four PNG images that contain steganographically embedded fragments of an APK. Those fragments are decoded and assembled on the device, after which the module enumerates the environment—device and browser parameters—and initiates invisible activity inside hidden WebViews: opening pages, scrolling, generating clicks and impressions. Monetization often targets high-frequency gaming and news sites; while the invisible view remains open, impression and click counters continue to climb.

The supporting domain network is layered. Promoting app platforms converge on a node—“ad2.cc”—which functions as a Tier-2 C2. Analysts cataloged roughly 300 domain names tied to distribution and control. On the control servers the researchers found AI services with telling names—StableDiffusion, AIGuide, ChatGLM—suggesting an assembly-line production pipeline for content and apps. HUMAN reports the lion’s share of traffic flowed to the United States (≈30%), followed by India (≈10%) and Brazil (≈7%).

The scheme further evades detection through multi-level obfuscation, and the conditional activation based on install attribution complicates debugging. As a result, ad platforms and anti-fraud systems ingest a hybrid of real and fake signals—where the latter are deliberately triggered only when the likelihood of analyst observation is minimal.

HUMAN previously documented a similar campaign, IconAds, which employed 352 Android apps—evidence of a broader trend toward rapid scaling of these operations. In SlopAds’ case, Play Store takedowns curtailed the storefront, but the techniques uncovered—steganography, hidden browser containers, and attribution-conditioned activation—have already become staples of industrial-scale ad fraud.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy