Google Play Store, the most widely used app marketplace for Android devices, recently faced a major security breach. Researchers identified 331 malicious apps that successfully bypassed Android 13’s security mechanisms, allowing them to operate undetected.
Discovery of the “Vapor” Operation
First uncovered by IAS Threat Lab in early 2024, the operation—named “Vapor”—initially involved 180 apps found on the Play Store. These apps generated over 200 million fake ad requests. Later, security firm Bitdefender expanded the list to 331 apps, warning that they “display out-of-context ads and even try to persuade victims to give away credentials and credit card information in phishing attacks.”
How These Apps Evaded Detection
The malicious apps deployed several deceptive tactics. Some could rename themselves in device settings, mimicking legitimate applications like Google Voice. Others launched in the background without user input, hid from the Recent Tasks menu, and even disabled the back button or gesture while displaying full-screen ads. The most concerning aspect was their ability to present fake login pages for platforms like Facebook and YouTube, tricking users into entering sensitive information, including credit card details.
Google’s Response
Following the discovery, Google removed all the identified apps from its platform. A company spokesperson told Bleeping Computer, “All of the identified apps from this report have been removed from Google Play.”
Methods Used to Bypass Security
According to Bitdefender, some of these apps initially functioned as legitimate utilities, which allowed them to pass Play Store security checks. However, developers later added malicious functionalities that enabled them to display intrusive ads and collect user data.
These apps disguised themselves as utility tools such as expense trackers, health apps, wallpaper apps, and QR scanners. Some of the identified apps include AquaTracker, ClickSave Downloader, Scan Hawk, Water Time Tracker, Be More, and TranslateScan, each accumulating over a million downloads.
Timeline and Tactics
Most of these apps were uploaded between October 2024 and January 2025, with some developers continuing to publish apps until March. To avoid detection, the perpetrators used multiple developer accounts, each releasing only a few apps.
This incident highlights the ongoing challenges in app security and the need for users to remain vigilant while downloading applications, even from trusted sources like the Google Play Store.
