Cybercriminals have once again exploited Google Play’s security mechanisms, infiltrating the app marketplace with at least 331 malicious applications that collectively amassed over 60 million downloads, according to a recent investigation by Bitdefender’s security researchers. The large-scale fraud campaign has bypassed Android 13’s security features with alarming ease, allowing attackers to display out-of-context ads, hide app icons, and even launch phishing attacks aimed at stealing credentials and financial data.
The report highlights that cybercriminals exploited Google Play’s vetting process, ensuring that many of these applications initially appeared benign upon launch. However, as Bitdefender researchers observed, malicious functionality was later introduced via app updates—a stealth tactic that enables attackers to evade detection for extended periods.
“Most applications first became active on Google Play in Q3 2024. After further analysis, we saw that older ones that had been published earlier were initially benign and did not contain malware components. The malicious behavior was added afterward, starting with versions from the beginning of Q3,” Bitdefender’s report states.
Despite Android 13’s enhanced security restrictions, the attackers found innovative ways to override permissions and persist on infected devices. One particularly concerning discovery was how these apps started activities in the background without user interaction, a behavior that should not be technically possible under Android 13’s security policies.
Bitdefender’s researchers noted: “The apps can start without user interaction, even though this should not be technically possible in Android 13.”
These malicious applications also hid their icons from the device’s launcher, making manual removal more difficult for users. Attackers achieved this by abusing Android’s content provider mechanism, leveraging native code execution to enable or disable app visibility dynamically.
“After the setup procedure is complete, the app disables its launchers and the icon disappears entirely from the phone launcher,” Bitdefender revealed.
While many of these apps focused on ad fraud—displaying intrusive full-screen ads even when not in use—some went a step further, attempting to steal login credentials and credit card information through phishing schemes.
“Users could be asked to enter credentials from Facebook, YouTube, or other online services, or credit card information under various pretexts,” the report warns.
In some cases, these fraudulent apps masqueraded as legitimate services, such as QR scanners, expense trackers, health apps, and wallpaper applications. This disguise allowed them to operate undetected for long periods while continuing to harvest user data.
The campaign appears to be coordinated by a single threat actor or multiple cybercriminal groups leveraging the same packaging tool sold on underground markets. Even after Google removed many of these apps, Bitdefender found that 15 were still live on the Play Store at the conclusion of their investigation.
“To be clear, this is an active campaign. The latest malware published in the Google Play Store went live in the first week of March 2025. When we finished the investigation, a week later, 15 applications were still available for download on Google Play,” Bitdefender researchers noted.
To avoid security scans and malware detection tools, the attackers employed advanced obfuscation techniques. Their native libraries were obfuscated using the Armariris tool, and the malware contained runtime checks to detect emulated environments and debuggers, preventing researchers from easily analyzing their behavior.
“Upon further analysis, we discovered that the library contains runtime checks that allow it to determine if it runs in an emulated environment or if a debugger is connected to evade detection,” the report explains.
Given the persistence and sophistication of this fraudulent campaign, Bitdefender’s researchers emphasize that users cannot rely solely on Google Play’s security measures to stay protected.
Security recommendations include:
- Avoid downloading apps from unknown developers or those with poor reviews.
- Regularly audit installed applications and remove any that seem suspicious.
- Enable Google Play Protect and keep devices updated with the latest security patches.
- Use reputable mobile security solutions that offer real-time app anomaly detection.
- Be cautious of apps requesting unnecessary permissions, particularly those asking for access to sensitive data.
Bitdefender warns that cybercriminals are constantly adapting, finding new ways to evade security filters and distribute malware through official app stores.
“This is one of the main reasons why it’s not enough for users to rely solely on the protection available by default on Android devices and the Google Play Store,” the report states.
