A mobile ad fraud operation dubbed IconAds that consisted of 352 Android apps has been disrupted, according to a new report from HUMAN.
The identified apps were designed to load out-of-context ads on a user’s screen and hide their icons from the device home screen launcher, making it harder for victims to remove them, per the company’s Satori Threat Intelligence and Research Team. The apps have since been removed from the Play Store by Google.
The ad fraud scheme accounted for 1.2 billion bid requests a day, at the height of its activity. The vast majority of IconAds-associated traffic originated from Brazil, Mexico, and the United States.
It’s worth noting that IconAds is a variant of a threat that’s also tracked by other cybersecurity vendors under the names HiddenAds and Vapor, with the malicious apps repeatedly slipping past the Google Play Store since at least 2019.
Some of the common characteristics of these apps include the use of obfuscation to conceal device information during network communications, a set naming pattern used for the command-and-control (C2) domains, and its ability to replace the default MAIN/LAUNCHER activity by declaring an alias.
“This means that when the app is installed, the default label name and icon will be displayed, but as soon as the app runs, the activity-alias declared on the manifest will be active and persist even after relaunching the app or rebooting the device,” HUMAN said.
This behavior, in turn, causes the apps’s name and icon to be hidden from the home screen, preventing easy uninstallation. The end goal of the apps is to load interstitial ads, regardless of which app is active, effectively disrupting user experience.
Some variants of IconAds apps have been found to impersonate the Google Play Store (or using other Google-related application icons and names) instead of concealing them. Clicking on the app redirects the victim to the official app, while the malicious activity is taking place in the background.
Some of the other new additions incorporated into new iterations of the malicious apps are a check to determine if the application was installed from the Play Store, as well as feature more layers of obfuscation to resist dynamic analysis.
“Many IconAds-associated apps have short shelf lives before being removed from the Play Store,” HUMAN researchers said. “With the several evolutions of this threat, researchers expect continued adaptation, with new apps published and new obfuscation techniques added.”
The disclosure comes as IAS Threat Lab exposed another “insidiously adaptive” ad fraud operation called Kaleidoscope that resorts to the evil twin technique, wherein “legitimate-looking apps hosted on Google Play as a deceptive façade, while its malicious duplicate counterparts, distributed predominantly through third-party app stores, drive fraudulent ad supply.”
Kaleidoscope is an evolution of Konfety, a similar ad fraud scheme that revolved around apps embedding an advertising framework called CaramelAds SDK. The newly identified apps have since removed references to CaramelAds and included the core functionality into other manipulated SDKs under different names like Leisure, Raccoon, and Adsclub.
The essence of the operation is this: Cybercriminals create two nearly identical versions of the same app, a harmless “decoy twin” available on Google Play and an “evil twin” that’s distributed through third-party app stores or fake websites. The “evil twin” app then generates intrusive, unwanted ads to fraudulently earn advertising revenue.
According to telemetry data from ESET for the period December 2024 to May 2025, Kaleidoscope impacts a large number of Android users across the world, the most affected being Latin America, Türkiye, Egypt, and India due to the popularity of third-party app stores in these regions.
The adware activity kicks in when users unintentionally install the “evil twin” apps, resulting in intrusive ads and degraded device performance. But since the ads are served via the copycat apps, it tricks advertisers into paying the fraudsters for illegitimate ad views.
“The primary monetization strategy in this scheme relies on malicious duplicates distributed through third-party app stores, where a benign app ID is exploited by a malicious counterpart to generate ad impressions and drive revenue,” IAS said. “The malicious app delivers intrusive out-of-context ads under the guise of the benign app ID in the form of full-screen interstitial images and videos, triggered even without user interaction.”
A significant chunk of Kaleidoscope’s monetization has been traced back to a Portuguese company named Saturn Dynamic that claims to offer a way to “monetize display ads and videos.”
From Ad Fraud to Financial Fraud
Android devices have also come under assault from various malware families like NGate and SuperCard X that abuse the Near-field communication (NFC) technology to commit financial fraud using inventive relay techniques that allow NFC signals from a victim’s payment card to be routed through the compromised phone to attacker-controlled devices, enabling criminals to withdraw cash from ATMs remotely.
Mobile malware campaigns leveraging these malicious programs have claimed successful infections across Russia, Italy, Germany, and Chile.
NGate has also been an inspiration for another NFC-based technique referred to as Ghost Tap, which involves the attackers using stolen card data to register them in their own digital wallets like Google Pay and Apple Pay. The loaded wallets are subsequently relayed to conduct fraudulent contactless payments anywhere in the world.
“Ghost Tap attackers create fraudulent transactions by tapping compromised mobile devices against NFC-enabled payment terminals,” ESET noted. “These transactions appear legitimate, bypassing traditional security checks, and allowing criminals to cash out quickly.”
Android SMS Stealer Infects 100,000 Devices in Uzbekistan
The findings coincide with the discovery of a new Android malware campaign that’s distributing a previously unidentified SMS stealer called Qwizzserial that has infected nearly 100,000 devices, primarily in Uzbekistan. The resulting financial losses are estimated to be at least $62,000 between March and June 2025.
First discovered by Group-IB in March 2024, the malware is designed to harvest a list of installed financial apps, intercept two-factor authentication (2FA) SMS codes, and exfiltrate the details to the attackers via Telegram bots.
Masquerading as legitimate banking apps and government services, Qwizzserial is mainly distributed in the form of APK files on bogus Telegram channels that claim to be government entities and officials. Simply put, the attacks abuse the trust users place in government services to trick them into installing the apps.
Telegram is also central to the operation in that bots operated by the threat actors are used to automate the process of creating the malicious apps used for distribution. Other channels are devoted to internal group chats and making announcements related to the earnings made by different members.
Once installed, the apps request users to grant it permission to access SMS messages and phone calls. The user is then prompted to enter two phone numbers and their bank card numbers along with the expiration date, after which the entered information is sent to the attackers via the Telegram bot API.
As part of its SMS gathering step, Qwizzserial employs regular expression patterns to search for messages related to bank account balances and those that mention a sum exceeding 500,000 UZS ($39).
Newer samples of the malware have also been found to ask users to disable battery optimization restrictions, thereby allowing it to run in the background without any intervention. Another change is that the collected data is transmitted to an external server by means of HTTP POST requests instead of directly sending it to the Telegram API.
“SMS stealers pose a serious threat in Uzbekistan, as SMS remains a primary channel to interact with end users,” the Singaporean cybersecurity company said. “Local payment systems are reliant on SMS to deliver two-factor authentication (2FA) codes for confirmation.”
It’s not just Qwizzserial. In recent months, mobile users in India have been targeted by fake wedding invites that propagate malware-laced APK files through WhatsApp and Telegram to ultimately deploy SpyMax RAT (aka SpyNote) or other spyware that can capture sensitive data from infected devices.
Another campaign documented by Kaspersky entails the distribution of a new trojan named SparkKitty, which is capable of targeting both Android and iOS devices. The offending apps (币coin and SOEX) are no longer available for download from the respective app storefronts.
Outside of Apple’s Apple Store, the malware is also embedded within modified TikTok clones that are hosted on phony websites mimicking app listing pages. To facilitate installation through this vector, the malware developers rely on a provisioning profile available via Apple’s Developer Program to deploy a certificate on victims’ iPhones and push the app without uploading them to the App Store.
“While most versions of this malware indiscriminately steal all images, we discovered a related malicious activity cluster that uses OCR [optical character recognition] to pick specific pictures,” the Russian cybersecurity company said.
SparkKitty, assessed to be active since at least February 2024, is believed to be a possible successor to SparkCat, which also employs OCR to detect specific images containing wallet recovery phrases.
“Although we suspect the attackers’ main goal is to find screenshots of crypto wallet seed phrases, other sensitive data could also be present in the stolen images,” Kaspersky said. “Judging by the distribution sources, this spyware primarily targets users in Southeast Asia and China.”
