'Vapor' ad fraud exposed, with 180+ fake apps and 56 million downloads : Report

The IAS Threat Lab has uncovered a sophisticated ad fraud scheme, codenamed 'Vapor,' leveraging fake Android apps to deploy full-screen interstitial video ads. The scheme, named for its ability to 'evaporate' real functionality from apps, exploits users and ad networks at scale.

According to the August 2023-March 2025 Vapor Threat Report, the operation involves more than 180 app IDs identified since early 2024, amassing over 56 million downloads and generating over 200 million bid requests daily. These apps, stripped of any real functionality, bombard users with intrusive ads.

The fraudsters behind Vapor use multiple developer accounts, each hosting a small number of apps, to distribute the scheme and evade detection. This decentralised approach ensures that the takedown of one account has minimal impact on the overall operation. The threat actors also embed ad SDKs within their apps and create corresponding seller accounts to monetise the traffic.

IAS collaborated with industry partners, leading to Google's removal of all identified Vapor apps from the Play Store. Google Play Protect will now warn users and automatically disable these apps, even if downloaded from outside the Play Store. 

The Vapor apps are designed to mimic legitimate apps, appearing as utilities like QR scanners, password managers, and flashlights, as well as health, fitness, and lifestyle apps. While initial versions of these apps functioned normally, later updates removed genuine features, replacing them with mechanisms to maximise ad revenue through aggressive ad displays.

The apps often disguise themselves by removing launch icons and UI elements. Some do not have an 'open' button, relying on persistent notifications to remain active in the background. Once installed, the apps launch full-screen interstitial ads, rendering devices largely inoperative.

The report traced the scheme's origins to early 2024, with simple flashlight and wallpaper apps updated to hide main app entry points. By using system-level triggers like broadcast receivers and background services, these apps activated ad-related services upon launch without user interaction.

The report details the scale of the operation, noting over 21 million live downloads between November 2024 and January 2025, coinciding with heightened holiday ad spending. Unnatural install patterns were also observed, with some apps, such as 'com.eatrg.Rise.Motivate,' reaching one million installs in 24 days, suggesting the use of app install schemes to inflate rankings.

A key aspect of Vapor's infrastructure is its use of dedicated domains for command-and-control (C2) communication, collecting device data like type, regional settings, and unique identifiers. To evade detection, the operation uses techniques such as string obfuscation via custom base64 encoding and the StringFog XOR implementation.

Despite Google's removal of the apps, the report warns that the scheme remains active, with threat actors continuously adding new apps to sustain the operation. The report highlights the evolving nature of ad fraud and the ongoing challenge of countering these tactics.