What’s going wrong with Play Store? Google has had its finger firmly on the delete button this month, with multiple threats bypassing its defenses and confirmations it has already removed hundreds of them. But given the advice that users should trust Play Store instead of sideloading, this is optically awkward to say the least.
What is very clear is that you should not leave these apps on your phone.
Two weeks ago I warned that a malicious new campaign was exploiting Play Store to attack Android phones “on a massive scale.” The team at Integral Ad Science (IAS) dubbed this threat “Vapor,” given “its ability to ‘evaporate’ any real functionality from apps” it hijacked to take over user screens “rendering the devices largely inoperative.”
IAS flagged 180 malicious apps with 56 million downloads — but the threat is more extensive. Bitdefender has just reported that while “IAS Threat Lab uncovered a part of this threat, “the campaign features at least 331 apps… gathering more than 60 million downloads.” And of more concern, while Google has deleted most of these apps, “15 were still online when the research was completed.”
The security researchers warn that attackers have managed “to hide the apps’ icons from the launcher, which is restricted on newer Android iterations,” and beyond ad fraud, “some apps have tried to collect user credentials for online services, and even credit card data, via phishing attacks.”
It’s not known if this is a single threat actor or a malware toolkit sold or rented to multiple groups, leveraging the same malware. But the fact it has been so successful, Bitdefender says, “is one of the main reasons why it’s not enough for users to rely solely on the protection available by default on Android devices and the Google Play Store.”
As I pointed out with IAS’s report, the hijacked apps all follow a similar theme, trivial functionality that lures users into a casual, free install from Play Store. Bitdefender echoes the same, warning that many of the apps were “QR scanners, expense tracking apps, health apps and wallpaper apps.” To this you can add document converters, PDF readers, horoscopes and flashlights — yes, even flashlights.
“Vapor Apps present users with persistent and intrusive full screen ads that prevent users from interacting with or even uninstalling them from their devices,” Scott Pierce, head of fraud protection at IAS, told me. “The current strain of Vapor is now fully understood by IAS given the characteristics of these apps, and we appreciate the collaboration of our partners at Google in quickly addressing the issue. Google Play Protect will now warn users and automatically disable these apps.”
In response to IAS’s report, Google confirmed “if we find apps that violate our policies, we take appropriate action. We have removed all of the identified apps in this report from Google Play. Android users are also automatically protected from associated apps known to exhibit this type of behavior by Google Play Protect, which is on by default on Android devices with Google Play Services. Google Play Protect will warn users and automatically disable these apps, even when apps come from sources outside of Play.”
But “to be clear,” Bitdefender warns Android users, “this is an active campaign. The latest malware published in the Google Play Store went live in the first week of March, 2025. When we finished the investigation, a week later, 15 applications were still available for download on Google Play.” It flags two apps “from the latest batch uploaded to the store on March 4,” Dropo and Handset Locator.
I have asked Google if they have acted on Bitdefender’s follow-on report.
Meanwhile, don’t assume Google will flag and remove these apps. Purge your phone of these apps flagged by Bitdefender and other free, trivial apps you have installed but no longer use. Ensure Play Protect is enabled and don’t be lured into disabling it to enable an app to install. And avoid the catnip temptation to install these kind of free apps.
Read the full article here