Google Play Store, the most widely used app store for Android, was recently found hosting 331 malicious apps that bypassed Android 13’s security features. This discovery, dubbed “Vapor,” was first reported by IAS Threat Lab in early 2024, identifying 180 such apps generating over 200 million fake ad requests. Security firm Bitdefender later expanded the count to 331, warning that these apps displayed intrusive ads and attempted phishing attacks to steal user credentials and credit card information.
Some of these apps disguised themselves as legitimate ones, such as Google Voice, and could launch in the background without user interaction. Others displayed full-screen ads, disabled Android’s back button, and even created fake login pages for platforms like Facebook and YouTube.
According to Bitdefender, the apps initially provided basic functionalities, which helped them get approved on the Play Store. However, developers later introduced malicious features, allowing them to operate stealthily and collect sensitive user data. Many of these apps were categorized as utilities, such as QR scanners, health trackers, and wallpaper apps. Examples include AquaTracker, ClickSave Downloader, Scan Hawk, Water Time Tracker, Be More, and TranslateScan, each amassing over a million downloads.
Though the apps were published under different developer accounts, each account had only a few apps to avoid suspicion. They were uploaded between October 2024 and January 2025, with some appearing as recently as March. Google has since removed all identified apps from the Play Store.
