Cybersecurity researchers from Bitdefender and Integral Ad Science (IAS) have uncovered a sophisticated malware campaign dubbed “Vapor” that has infected more than 60 million Android devices worldwide. The operation, which deployed over 330 malicious applications through the Google Play Store, represents one of the largest mobile malware campaigns detected in recent years, combining aggressive advertising fraud with data theft capabilities.
Sophisticated Deployment Strategy Bypasses Google Play Protections
The threat actors behind Vapor implemented an advanced “versioning” technique to circumvent Google Play’s security measures. This method involved initially submitting clean applications to the store, followed by introducing malicious code through subsequent updates. The malware was strategically disguised as popular utility applications, including QR code scanners, fitness trackers, and productivity tools, effectively deceiving both users and Google’s security screening processes.
Advanced Technical Capabilities and Malicious Behaviors
The malware exhibits sophisticated technical characteristics that demonstrate its creators’ expertise. Upon installation, infected applications execute multiple malicious behaviors, including:
– Concealing their presence by hiding app icons
– Bypassing SYSTEM_ALERT_WINDOW restrictions in Android 13
– Generating full-screen overlay advertisements
– Removing themselves from recent tasks lists
Additionally, the malware incorporates advanced phishing functionality specifically designed to harvest banking credentials and user account information.
Campaign Timeline and Impact Assessment
The Vapor campaign initiated operations in April 2024, reaching peak activity in early 2025. During October-November 2024 alone, cybercriminals uploaded more than 140 malicious applications to the Google Play Store. The campaign’s advertising fraud component generated over 200 million ad requests daily, indicating substantial financial gains for the threat actors.
While Google has removed the majority of identified malicious applications, security researchers confirm that approximately 15 harmful apps remain available for download as of March 2025. Security experts strongly advise users to implement comprehensive security measures, including: regular app audits, immediate removal of suspicious applications, and careful verification of new installations through trusted security tools. The persistence of this campaign emphasizes the critical importance of maintaining vigilant security practices when managing mobile applications and personal data on Android devices.