Cyber criminals have managed to introduce at least 331 dangerous applications in the official Google Play store, downloaded over 60 million times, says Bitdefender.
Some applications in Google Play have been entered by hackers
Bitdefender security researchers have identified a large -scale advertising campaign that has implemented hundreds of malicious applications in the Google Play store, resulting in a total of over 60 million downloads. Applications display advertisements outside the context and even try to convince victims to provide credentials and credit card information in phishing attacks. These apparently trivial applications, such as QR code scanners, expense monitoring applications, health or screen backgrounds, aggressively displays advertisements and even try to convince users to disclose their personal data, including access credits and phishing attacks.
Offenders have used sophisticated methods to deceive Google’s security measures, including hiding applications icons immediately after installation – restricted behavior in more recent android versions. Thus, victims cannot easily identify or remove them from the phone. In some cases, the names of the applications change in “Google Voice” to make them look completely normal.
The hazardous applications identified by Bitdefender researchers had, in most cases, certain legitimate features to mislead users, but they could also run ads even without the usual permissions or the direct interaction of the user. In addition, they could automatically launch false pages, which require sensitive data, such as Facebook or YouTube passwords and even bank card information.
Another identified risk is the ability of these applications to start without the user interaction, although this should not be technically possible in Android 13.
The campaign started last year is still active
The analysis of Bitdefender specialists shows that the first applications of this wave became active on Google Play in the autumn of 2024. Some of these applications were initially legitimate, but they became dangerous after subsequent updates. The campaign started last year is still active, and the latest infected applications were charged in Google Play in the first week of March 2025.
Researchers warn that although Google periodically eliminates such dangerous applications, cyber offenders always find new ways to exploit existing protection systems and often use special tools purchased on the black market, such as wrapping tools with which they hide the true nature of the dangerous code and make it seem authentic. This is why specialists recommend users not to rely exclusively on the default protection offered by Android or Google Play, but to use dedicated security solutions.
How users can be protected
Bitdefender specialists recommend users to be cautious and always check the source of applications before downloading, read the reviews carefully and pay special attention to the requested permissions. They also point out that it is much more difficult to detect and eliminate threats on the phone than on the desktop, because dangerous applications may not display the icons and activity. Bitdefender Mobile Security technology, called “App Anomaly detection”, monitors the behavior of applications immediately after installation and thus quickly detects any suspicious change that transforms the legitimate applications into dangerous ones.
