“At the beginning, when we found this threat, the icon of the app would just be hidden,” said João Santos, senior manager of threat intelligence at HUMAN. “Now it’s more common to find apps on this threat where they just replace the icon with Gmail, Google Maps, or something like that. So you install an application for ‘Wallpapers 2025,’ but when you go to your app drawer, you only see Google Home or Google Maps.”
Not only did the apps obscure their display icons to deter detection, they employed a variety of other “very thorough” obfuscation tactics from the app display to the server, Santos said.
In some cases, the apps encrypted key data within hard-to-find parts of their native code. They frequently used misleading file names and metadata, and often attempted to hide details like operating system version, device model, and language when connecting to networks by using random English words in their code.
A similar tactic was used for naming the apps’ domains, too.
“If you have a wallpaper app, it will be something like ‘bag.wallpaperapp.com,’ and all the requests are going to that server,” explained Santos. “All the parameters—for instance, your device model, the Android version—instead of being called ‘Android version,’ they will be called ‘desk,’ or ‘pen.’ It will be unique for each application, which also makes it hard to detect these at the network level.”
In some instances, the apps functioned as expected, and then later deployed an update that introduced a back door to serve out-of-context ads.
Infected apps were also associated with a variety of shell publisher companies.
“They would launch 20 applications in the Play Store, and they’d all be associated with one publisher,” said Santos. “Then, as long as these applications were being removed and detected from the Play Store, they would create another publisher—another fake entity,” explained Santos.
Apps involved in the IconAds scheme were able to keep monetizing because users often didn’t know how to delete them or chose not to do so.
HUMAN has been monitoring this kind of fraudulent behavior since 2023, but earlier this year saw activity spiked and tactics grew more sophisticated, spurring deeper research.
After being alerted about the fraudulent operation, Google pulled all of the detected apps from the Play Store.
