This post is also available in:
עברית (Hebrew)
A new report has uncovered a widespread malicious Android app campaign known as “Vapor,” which aims to deceive users into sharing sensitive information through deceptive ads and tactics. Initially discovered by IAS Threat Labs, this active campaign has been detailed further in a recent Bitdefender report. The malicious apps, disguised as useful utilities like QR scanners, health trackers, and expense management tools, have collectively been downloaded over 60 million times, with some apps exceeding a million downloads on the Google Play Store.
The malware campaign primarily targets users in Brazil, the US, and Mexico. Though the majority of the apps have been removed from the Play Store by Google, new variants continue to emerge. In fact, one app was published as recently as March 2025, remaining live for a week before being taken down. These apps, which initially do not show any malicious behavior, evade Google Play’s scrutiny by leveraging the Android ContentProvider—a component activated immediately after installation, before the user interacts with the app.
Once installed, the malicious apps use a foreground service to display intrusive, full-screen ads. To avoid detection, some apps hide their icons or change their names to mimic legitimate apps, such as renaming themselves to “Google Voice.” This is a tactic designed to make the app harder to find and uninstall.
The malicious apps employ sophisticated techniques to exfiltrate device information, making detection more challenging. In addition, the attackers also employ scare tactics, warning users that their devices are infected, and encouraging them to download additional, potentially malicious apps.
Experts suggest that the campaign could be the work of a single cybercriminal group or multiple attackers using a shared malware development tool, often sold on black markets. The malware’s distribution is carefully controlled, with multiple developer accounts used to minimize detection risk.
While Google has removed the affected apps, the ongoing appearance of new variants highlights the evolving nature of mobile malware and the importance of vigilance when downloading apps.
