An ad fraud scheme, dubbed IconAds, that served out-of-context mobile ads has led Google to pull 352 apps from its Play Store.
The operation, uncovered by cybersecurity firm HUMAN, was designed to generate revenue through spoofed ad impressions. Users download Android apps—which pose as generic tools like flashlights, file scanners, and photo apps—that disguise their icons on user screens to impede detection. They then display ads on users’ screens, even when the apps in question are not in use.
At its height, the apps generated around 1.2 billion ad bid requests per day. Traffic generated by IconAds primarily originated from Brazil, Mexico, and the U.S.
“This is a very uninvestigated, unseen side of the internet where fraudsters are making millions of dollars, and there are not a lot of people that are paying attention or actually mitigating,” said Gavin Reid, HUMAN’s chief information security officer.
Four months ago, a similar Android ad fraud scheme was uncovered by ad verification firm Integral Ad Science, leading Google to remove more than 180 apps from the Play Store.
Google declined ADWEEK’s request for comment.
“The bad actors make their apps look like other apps so that people install them,” explained Reid. “They don’t have to have millions of installs of that particular app, because new ones are coming next week, and the ones that are there stay there forever.”
In some examples, impacted apps appeared on users’ home screens as white circles with no name. When a user clicked the white circle, nothing happened. The apps then deploy hidden ad-serving code, serving interstitial ads on the user’s screen, regardless of whether the app is in use or not.
In another instance, an app mimicked the Google Play Store logo. When a user clicked, the app redirected the user to the real Google Play Store—only to work secretly in the background to serve out-of-context ads.
