March 22, 2025, 9:06 am | Read time: 3 minutes
Security researchers have uncovered a large-scale malware campaign with more than 300 infected Android apps. Affected users must take action to remove the malware from their smartphones.
In total, the apps have been installed more than 56 million times. They pretend to be helpful utilities but activate their adware function once launched. In some cases, they even lead unsuspecting users to fake websites in order to obtain login details or credit card information.
Large-Scale Malware Campaign “Vapor”
The threat detection laboratory of the advertising researcher IAS has published a detailed report on the potential dangers of Vapor malware. IAS was initially able to identify 180 malicious apps in the malware campaign, which has been running since the beginning of 2024. These generated 200 million fraudulent advertising requests every day:
“When the app is fully set up, it immediately attempts to overwhelm the user with full-screen interstitial ads that hijack the device’s screen and render the user’s device largely inoperable.”
IAS: Vapor Threat Report
A later report from Bitdefender corrected the number of affected apps to 331, with most infections in Brazil, the US, Mexico, Turkey, and South Korea.
About Play Store Numerous Smartphones Infected with Spyware from North Korea
Several Apps Affected Nasty Malware Can Read Screenshots on Smartphones
Risk potential "high" Security vulnerabilities discovered in popular free password managers
Phishing Attacks with Fake Websites
The Vapor malware campaign uses deceptively real service apps such as health trackers, diaries, and QR scanners. The apps gain the trust of users before they subsequently activate their malicious functions. Some of the apps also open fake login screens for Facebook and YouTube. This allows them to steal access data or trick users into entering their credit card details.
The attackers distributed their apps across several developer accounts to make detection more difficult and minimize the damage in the event of removal by Google. Five of the identified apps have more than one million downloads each, according to Bleeping Computer.
- AquaTracker — 1 million downloads
- ClickSave Downloader — 1 million downloads
- Scan Hawk — 1 million downloads
- Water Time Tracker — 1 million downloads
- Be More — 1 million downloads
- BeatWatch — 500,000 downloads
- TranslateScan — 100,000 downloads
- Handset Locator — 50,000 downloads.
The complete list of installation packages can be found in a freely accessible Excel document and on the developer platform Github with the package names or the corresponding websites. If any of these apps are still on your smartphone, TECHBOOK recommends that you uninstall them immediately.
Most of these apps appeared in the Google Play Store between October 2024 and March 2025. Although Google has since removed these malicious apps from the Play Store, security experts warn that similar threats could reappear. The attackers are able to bypass Google’s security checks. Users should, therefore, be careful when installing apps from unknown developers. We also recommend regularly checking the permissions to ensure that the apps do not gain unauthorized access to sensitive data.