Disguised, Downloaded, Dangerous: The Return of Android’s Vapor Scam
Share
Commentary
Disguised, Downloaded, Dangerous: The Return of Android’s Vapor Scam
April 3, 2025
Table of Contents
The Android ecosystem clearly makes hackers salivate. After all, it’s one of the world’s largest user populations, ripe for attack. Watching how cybercriminals alter their craft is a never-ending, ever-evolving feat—and the discovery of the “Vapor” ad fraud scheme shows us yet another example of cybercriminals taking advantage of the Google Play Store to spread deceptive and dangerous apps.
Unlike traditional malware, Vapor apps disable real functions on devices and push intrusive ads at users while avoiding system damage and data theft. The novel fraud scheme really does stand out because of its sheer scope and high level of complexity.
“Ad fraud is perceived as a low but steady money-making machine for cybercriminals,” said Deniz Kabakci, Lead Security Engineer at Verimatrix. “Every year, we see at least one sophisticated ad fraud scheme like this one that scales massively and steals considerable amounts from advertisement budgets. It relies on the well-known versioning technique to bypass the Play Store vetting process. Its rapid growth with multiple apps, developer accounts, and ad SDKs prevents the behavioral models of the ad ecosystem from detecting fraud promptly. Better on-device visibility is the key to mitigating sophisticated ad fraud schemes.”
The evolution of schemes like Vapor shows how cybercriminals are becoming more strategic in blending into the app ecosystem. These aren’t your typical trojans—they’re apps that look and act normal just long enough to gain trust, then turn into something much more disruptive. That’s what makes them so dangerous.
Vapor apps employ a bait-and-switch strategy. Seeming like functional tools such as QR scanners and flashlight apps when they are first introduced, these apps successfully navigate Google Play Store’s security measures, where they remain undetected. But then there’s the kicker—after installation and subsequent updates, these apps transform into deceptive programs that launch aggressive full-screen ads that control the device’s interface and prevent users from exiting the app or returning to the home screen.
“These deceptive designs allow the apps to infiltrate user devices without raising suspicion… Some of these apps have no visible icon or ‘open’ button available for the user to interact with,” wrote Forbes contributor Zak Doffman, citing a report from IAS. “The ‘attack’ itself was a screen takeover, with full-screen ads shown in a way that prevented a user from closing the app or returning to the home screen, effectively hijacking the device’s screen and rendering the user’s device largely inoperative.”
The goal is ad revenue fraud
These apps fundamentally exist to carry out ad revenue fraud. The forced display of full-screen interstitial ads (i.e., a full-screen ad that appears between content transitions such as between levels in a game or between web pages) by these apps creates large volumes of invalid ad impressions that generate millions of dollars for fraudulent parties. Over one million downloads have been made by certain Vapor apps, while their total installations have reached nearly 60 million across more than 180 apps. That’s eye-popping for sure. Thankfully, most if not all have been done away with… for now.
Experts began investigating and exposed the Vapor operation at the start of last year. The fraudsters operating Vapor apps use multiple developer accounts to host small numbers of apps each. The distributed nature of their operation prevents Google from completely neutralizing the Vapor threat because eliminating one developer account only marginally disrupts their activities.
Through Vapor app integrated ad SDKs, fraudsters can create seller accounts and earn money from displayed advertisements. The participating apps in this scheme deploy automated installation methods that increase download numbers and manipulate Play Store rankings to deceive unsuspecting users into trusting them.
What Vapor apps really do
While Vapor apps bypass standard malware and data theft methods they introduce significant security risks:
As full-screen ads continue to pop up endlessly, users find themselves unable to close them and exit the application, which often makes the device practically unusable.
Apps that run in the background consume more processing power, which results in much faster battery drains.
Each forced ad impression generates money for fraudsters that they then use to support illegal operations.
Although the apps currently specialize in ad fraud, there is of course the chance that they could be (or already have been) altered to incorporate data theft and spyware payloads in the future.
The sudden overflow of advertisements on users’ devices surprises them about how and why it occurs, which creates frustration and spoils their experience.
An ongoing problem?
Google did indeed quickly purge the Vapor apps from the Play Store following the revelations about the operation. But research indicates that Vapor does continue to operate despite removal actions. The constant influx of new apps from fraudsters perpetuates the scheme, forcing Google and others to constantly adapt their defense measures to combat the attackers.
Ad fraud has been around for some time, but Vapor demonstrates how this type of fraud continues to develop. Businesses encounter approximately $17 million in losses every day from digital ad fraud, with app install fraud and SDK spoofing serving as the primary dangers. It’s the enormity and widespread nature of Vapor that underscores why people should be so careful and diligent in their decision to select an app in the first place.
Users can protect themselves from Vapor-like threats by taking proactive measures while Google, alongside cybersecurity firms, continues their efforts against fraudulent apps:
Exercise caution with apps developed by unknown sources that have overly simple functions such as flashlight apps, QR scanners, and horoscope apps.
Be sure to look for patterns of repetitive or generic compliments since fraudulent applications typically feature fake reviews that can be detected.
Avoid downloading apps that request more permissions than needed for their basic operations.
Activate Google Play Protect on your Android device to get alerts about suspicious applications.
Always update your device, as it helps boost protections by applying the newest security updates that potentially defend against emerging threats.
Vapor is a reminder that today’s threats don’t always steal data—they hijack trust. While recent takedowns have curbed some of the damage, the evolving nature of these schemes means we haven’t seen the last of them. Staying alert, asking questions before tapping “install,” and hardening mobile apps with layered protection remain some of the best ways to stay one step ahead.
Stay informed and secure
Get the latest insights on emerging cyber threats and in-app security measures to protect your mobile apps. Stay one step ahead of hackers by signing up for our newsletter now!
Written by
Jon Samsel
Head of Cybersecurity Business and Global Marketing
Commentary
Disguised, Downloaded, Dangerous: The Return of Android’s Vapor Scam
Table of Contents
The Android ecosystem clearly makes hackers salivate. After all, it’s one of the world’s largest user populations, ripe for attack. Watching how cybercriminals alter their craft is a never-ending, ever-evolving feat—and the discovery of the “Vapor” ad fraud scheme shows us yet another example of cybercriminals taking advantage of the Google Play Store to spread deceptive and dangerous apps.
Unlike traditional malware, Vapor apps disable real functions on devices and push intrusive ads at users while avoiding system damage and data theft. The novel fraud scheme really does stand out because of its sheer scope and high level of complexity.
“Ad fraud is perceived as a low but steady money-making machine for cybercriminals,” said Deniz Kabakci, Lead Security Engineer at Verimatrix. “Every year, we see at least one sophisticated ad fraud scheme like this one that scales massively and steals considerable amounts from advertisement budgets. It relies on the well-known versioning technique to bypass the Play Store vetting process. Its rapid growth with multiple apps, developer accounts, and ad SDKs prevents the behavioral models of the ad ecosystem from detecting fraud promptly. Better on-device visibility is the key to mitigating sophisticated ad fraud schemes.”
The evolution of schemes like Vapor shows how cybercriminals are becoming more strategic in blending into the app ecosystem. These aren’t your typical trojans—they’re apps that look and act normal just long enough to gain trust, then turn into something much more disruptive. That’s what makes them so dangerous.
Vapor apps employ a bait-and-switch strategy. Seeming like functional tools such as QR scanners and flashlight apps when they are first introduced, these apps successfully navigate Google Play Store’s security measures, where they remain undetected. But then there’s the kicker—after installation and subsequent updates, these apps transform into deceptive programs that launch aggressive full-screen ads that control the device’s interface and prevent users from exiting the app or returning to the home screen.
“These deceptive designs allow the apps to infiltrate user devices without raising suspicion… Some of these apps have no visible icon or ‘open’ button available for the user to interact with,” wrote Forbes contributor Zak Doffman, citing a report from IAS. “The ‘attack’ itself was a screen takeover, with full-screen ads shown in a way that prevented a user from closing the app or returning to the home screen, effectively hijacking the device’s screen and rendering the user’s device largely inoperative.”
The goal is ad revenue fraud
These apps fundamentally exist to carry out ad revenue fraud. The forced display of full-screen interstitial ads (i.e., a full-screen ad that appears between content transitions such as between levels in a game or between web pages) by these apps creates large volumes of invalid ad impressions that generate millions of dollars for fraudulent parties. Over one million downloads have been made by certain Vapor apps, while their total installations have reached nearly 60 million across more than 180 apps. That’s eye-popping for sure. Thankfully, most if not all have been done away with… for now.
Experts began investigating and exposed the Vapor operation at the start of last year. The fraudsters operating Vapor apps use multiple developer accounts to host small numbers of apps each. The distributed nature of their operation prevents Google from completely neutralizing the Vapor threat because eliminating one developer account only marginally disrupts their activities.
Through Vapor app integrated ad SDKs, fraudsters can create seller accounts and earn money from displayed advertisements. The participating apps in this scheme deploy automated installation methods that increase download numbers and manipulate Play Store rankings to deceive unsuspecting users into trusting them.
What Vapor apps really do
While Vapor apps bypass standard malware and data theft methods they introduce significant security risks:
An ongoing problem?
Google did indeed quickly purge the Vapor apps from the Play Store following the revelations about the operation. But research indicates that Vapor does continue to operate despite removal actions. The constant influx of new apps from fraudsters perpetuates the scheme, forcing Google and others to constantly adapt their defense measures to combat the attackers.
Ad fraud has been around for some time, but Vapor demonstrates how this type of fraud continues to develop. Businesses encounter approximately $17 million in losses every day from digital ad fraud, with app install fraud and SDK spoofing serving as the primary dangers. It’s the enormity and widespread nature of Vapor that underscores why people should be so careful and diligent in their decision to select an app in the first place.
Users can protect themselves from Vapor-like threats by taking proactive measures while Google, alongside cybersecurity firms, continues their efforts against fraudulent apps:
Vapor is a reminder that today’s threats don’t always steal data—they hijack trust. While recent takedowns have curbed some of the damage, the evolving nature of these schemes means we haven’t seen the last of them. Staying alert, asking questions before tapping “install,” and hardening mobile apps with layered protection remain some of the best ways to stay one step ahead.
Stay informed and secure
Written by
Jon Samsel
Head of Cybersecurity Business and Global Marketing
Share this cybersecurity insight
Other cybersecurity insights
Cybersecurity Threat Roundup #22: Copybara, Crocodilus, Lucid, and more
SparkKitty: A Silent Threat in ‘Trusted’ Apps
WestJet Breach Shows Why Downtime Is a Business Killer
Darcula’s Digital Playbook: The Global Scam That’s Redefining Mobile Threats