Overview
- The removed apps accumulated roughly 38 million installs across more than 220 countries and generated about 2.3 billion unseen ad impressions per day.
- After installation the apps fetched an encrypted setup via Firebase Remote Config that pointed to over 300 fraudulent sites, JavaScript droppers, and PNG files with hidden code.
- The steganographic payload assembled a “FatModule” that ran concealed WebView activity to load ads without user interaction.
- Activation was conditional on ad-driven installs and checks for emulators, rooting, or debugging to evade researchers and ad platforms.
- Google says it has taken down the known apps, updated Play Protect, and will prompt affected users to uninstall, while Human Security warns the operators are likely to try again.