Cybersecurity researchers from Bitdefender and Integral Ad Science (IAS) have uncovered a large-scale Android malware campaign dubbed “Vapor” that infected more than 60 million devices worldwide via over 330 malicious applications distributed through the Google Play Store. The campaign combined aggressive advertising fraud with credential phishing and represents one of the largest Play Store abuse operations on record.
Sophisticated Deployment Strategy Bypasses Google Play Protections
The threat actors behind Vapor used a “versioning” technique to evade Google Play’s security review. Clean application builds were submitted first, passing automated and manual checks. Malicious code was then introduced through subsequent updates, after the apps had accumulated downloads and reviews. Applications were disguised as QR code scanners, fitness trackers, and productivity utilities to maximise organic discovery.
Advanced Technical Capabilities and Malicious Behaviors
Once installed, Vapor-infected applications executed a layered set of malicious actions:
- Concealing themselves by hiding the app icon from the launcher after first run
- Bypassing SYSTEM_ALERT_WINDOW restrictions introduced in Android 13
- Rendering full-screen overlay advertisements that lock the device display
- Removing themselves from the recent tasks list to evade user detection
- Displaying phishing overlays targeting banking credentials and account login information
Campaign Timeline and Scale
Vapor began operations in April 2024 and reached peak activity in early 2025. During October–November 2024 alone, attackers uploaded more than 140 malicious apps to Google Play. The advertising fraud component generated over 200 million ad requests per day, indicating substantial financial returns for the operators.
Android Users Who Installed Apps from the VAPOR Malware Campaign
Any Android user who installed utility apps from the Play Store between April 2024 and early 2025 should review their installed applications. The affected apps impersonated common utility categories, making them difficult to identify by name alone. Users who experienced unexplained full-screen ads, rapid battery drain, or unauthorized charges on linked accounts are at elevated risk of having had a Vapor app installed.
Removing VAPOR Malware from Android: Identification and Recovery Steps
- Open Google Play and check “Manage apps and device” for any flagged or recently removed applications — Google removed the majority of identified apps but approximately 15 remained available as of March 2025
- Review your installed apps list and uninstall any QR scanner, fitness tracker, or utility app you do not actively use or cannot verify by publisher name
- Check your Android security settings: go to Settings > Privacy > Permission Manager and revoke SYSTEM_ALERT_WINDOW and accessibility permissions for any unfamiliar app
- Change passwords for banking and financial apps from a separate, trusted device if you suspect compromise
- Enable Google Play Protect and run a full device scan (Play Store > Profile > Play Protect > Scan device)
Google has been notified and is actively removing identified apps. CISA recommends keeping Android devices updated to the latest OS version and limiting app installations to well-known, verified publishers.
