Overview

• The cluster amassed roughly 38 million downloads across 228 countries before Google removed the apps from the Play Store.
• At peak scale, the operation generated up to 2.3 billion programmatic ad bid requests per day using hidden WebViews.
• A stealthy malware component dubbed FatModule was delivered via four PNG images that concealed an APK, which was decrypted and reassembled on devices.
• Fraud was conditionally activated only on non‑organic installs by checking marketing attribution signals and performing anti‑analysis checks.
• HUMAN traced a broad infrastructure including multiple C2 servers, the tier‑2 domain ad2[.]cc, and 300+ promotional domains, with traffic concentrated in the U.S. (30%), India (10%), and Brazil (7%).