Today's cybersecurity headlines are brought to you by ThreatPerspective
Ethical Hacking News

The Dark Side of Android: Uncovering the Massive Ad Fraud Operations and NFC Scams



A massive ad fraud operation dubbed IconAds has been exposed by HUMAN, with 352 Android apps found to load out-of-context ads on a user's screen and hide their icons from the home screen launcher. Meanwhile, another operation dubbed Kaleidoscope uses an "evil twin" technique to generate intrusive ads. The report also highlights the rise of NFC scams that are committing financial fraud using inventive relay techniques.

  • 352 Android apps have been identified as part of massive ad fraud operations dubbed IconAds, Kaleidoscope, SMS Malware, and NFC scams affecting Android devices worldwide.
  • The ad fraud scheme accounts for 1.2 billion bid requests a day, with the majority coming from Brazil, Mexico, and the United States.
  • Malicious apps use obfuscation techniques to conceal device information and replace default launcher activities to load ads in the background.
  • Clicking on malicious apps redirects victims to official apps while malware activity occurs in the background, often involving SMS message access and phone numbers.
  • A new ad fraud operation called Kaleidoscope uses an "evil twin" technique, creating identical versions of harmless apps to generate intrusive ads.
  • Kaleidoscope has generated billions of fake ad impressions across Latin America, Türkiye, Egypt, and India.
  • NFC scams are being used to commit financial fraud through inventive relay techniques, inspired by malware families like NGate and SuperCard X.
  • A new Android malware campaign has infected nearly 100,000 devices in Uzbekistan, resulting in estimated losses of at least $62,000.


    • In a recent exposé by HUMAN, a trusted cybersecurity news platform, details have been revealed about massive ad fraud operations dubbed IconAds, Kaleidoscope, SMS Malware, and NFC scams that are wreaking havoc on Android devices worldwide. The report from HUMAN's Satori Threat Intelligence and Research Team has exposed 352 Android apps that were designed to load out-of-context ads on a user's screen and hide their icons from the device home screen launcher, making it harder for victims to remove them. These malicious operations account for an astonishing 1.2 billion bid requests a day at the height of its activity, with the vast majority of IconAds-associated traffic originating from Brazil, Mexico, and the United States.

    The ad fraud scheme has been compared to other threats that are tracked by other cybersecurity vendors under different names such as HiddenAds and Vapor, which have been evading detection for years. The newly identified apps use obfuscation techniques to conceal device information during network communications, a set naming pattern used for the command-and-control (C2) domains, and an ability to replace the default MAIN/LAUNCHER activity by declaring an alias.

    This behavior causes the app's name and icon to be hidden from the home screen, preventing easy uninstallation. The end goal of these apps is to load interstitial ads regardless of which app is active, effectively disrupting user experience. In some cases, variants of the IconAds apps have been found to impersonate the Google Play Store or other Google-related application icons and names instead of concealing them.

    Clicking on the malicious app redirects the victim to the official app while the malicious activity takes place in the background. The attack relies on users granting permission to access SMS messages and phone calls, and then entering two phone numbers and their bank card details along with the expiration date. The entered information is then sent to the attackers via a Telegram bot API.

    Another ad fraud operation dubbed Kaleidoscope has been exposed by IAS Threat Lab, which uses an "evil twin" technique. This involves creating nearly identical versions of the same app, a harmless "decoy twin" available on Google Play and an "evil twin" that's distributed through third-party app stores or fake websites. The "evil twin" app then generates intrusive ads to fraudulently earn advertising revenue.

    The operation impacts a large number of Android users across the world, with the most affected being Latin America, Türkiye, Egypt, and India due to the popularity of third-party app stores in these regions. According to telemetry data from ESET for the period December 2024 to May 2025, Kaleidoscope has generated billions of fake ad impressions.

    Another malicious campaign is using NFC technology to commit financial fraud using inventive relay techniques that allow NFC signals from a victim's payment card to be routed through the compromised phone to attacker-controlled devices. This technique is inspired by another malware family called NGate and SuperCard X. Malware campaigns leveraging these malicious programs have claimed successful infections across Russia, Italy, Germany, and Chile.

    NGate has also been an inspiration for another NFC-based technique referred to as Ghost Tap, which involves the attackers using stolen card data to register them in their own digital wallets like Google Pay and Apple Pay. The loaded wallets are subsequently relayed to conduct fraudulent contactless payments anywhere in the world.

    In addition, a new Android malware campaign has infected nearly 100,000 devices primarily in Uzbekistan. The resulting financial losses are estimated to be at least $62,000 between March and June 2025. This malware is designed to harvest a list of installed financial apps, intercept two-factor authentication (2FA) SMS codes, and exfiltrate the details to the attackers via Telegram bots.

    The attack masquerades as legitimate banking apps and government services, mainly distributed in the form of APK files on bogus Telegram channels that claim to be government entities and officials. The attackers abuse the trust users place in government services to trick them into installing the apps.

    In conclusion, these recent discoveries highlight the evolving nature of Android ad fraud operations and NFC scams. As cybersecurity vendors continue to adapt to new threats, it is essential for Android device owners to remain vigilant and take proactive measures to protect themselves from these malicious activities.

    Related Information:
  • https://www.ethicalhackingnews.com/articles/The-Dark-Side-of-Android-Uncovering-the-Massive-Ad-Fraud-Operations-and-NFC-Scams-ehn.shtml

  • https://thehackernews.com/2025/07/mobile-security-alert-352-iconads-fraud.html

  • https://www.malwarebytes.com/blog/news/2025/05/android-users-bombarded-with-unskippable-ads

  • https://www.newsbytesapp.com/news/science/kaleidoscope-ad-fraud-scam-hitting-millions-of-android-users-globally/story

  • https://www.kaspersky.com/resource-center/threats/sms-attacks

  • https://www.bitdefender.com/en-us/blog/hotforsecurity/how-to-recognize-malicious-sms-messages

  • https://www.phonearena.com/news/android-users-should-delete-any-apps-on-this-list_id170239

  • https://www.pcrisk.com/removal-guides/24451-hiddenads-malware-android

  • https://www.mcafee.com/blogs/other-blogs/mcafee-labs/new-hiddenads-malware-that-runs-automatically-and-hides-on-google-play-1m-users-affected/

  • https://www.bleepingcomputer.com/news/security/malicious-android-vapor-apps-on-google-play-installed-60-million-times/

  • https://www.securityweek.com/300-malicious-vapor-apps-hosted-on-google-play-had-60-million-downloads/

  • https://cybermaterial.com/ngate-trojans-malware/

  • https://www.welivesecurity.com/en/eset-research/ngate-android-malware-relays-nfc-traffic-to-steal-cash/

  • https://www.pcrisk.com/removal-guides/32717-supercard-x-malware-android

  • https://www.packetlabs.net/posts/supercard-x-android-malware/

  • https://cybersecuritynews.com/ghost-tap-attack/

  • https://thehackernews.com/2024/11/ghost-tap-hackers-exploiting-nfcgate-to.html

  • https://www.varonis.com/blog/apt-groups

  • https://cybersecuritynews.com/apt-attack/

  • https://www.picussecurity.com/resource/blog/understanding-active-iranian-apt-groups

  • https://www.mei.edu/publications/iranian-apts-overview

  • https://en.wikipedia.org/wiki/Advanced_persistent_threat

  • https://thesecmaster.com/blog/top-10-advanced-persistent-threat-apt-groups-of-2024

  • https://www.arintell.com/cyber-security/apt-groups/

  • https://malpedia.caad.fkie.fraunhofer.de/actor/cleaver


    • Published: Thu Jul 3 11:59:53 2025 by llama3.2 3B Q4_K_M


    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us