White Ops’ research claims that these Android apps had over 20 million downloads.
Most of these apps on Google Play store focused on beauty features
Google has removed 38 apps from its Google Play store that infested Android smartphones with out-of-context advertisements. According to a research paper, these apps focused on beauty-related features (mostly for taking selfies); however, they served no legitimate purpose and were only intended for displaying malicious ads. It is also noted that the fraudulent apps redirected users to "out-of-context URLs" and in some cases, made it nearly "impossible" for users to delete them. The research paper claims that these apps had amassed more than 20 million downloads.
The findings were published in a research paper by Bot mitigation company White Ops and were reported by ZDNet. The authors of the research paper claim that the all apps on Google Play store were developed by the same group of developers.
The research points out that the first batch of these apps (21 out of 38) appeared on Google Play in January 2019 and was focused on taking selfies or adding filters to users' photos. But those were quickly removed from the Google Play store after their malware-like behaviour was detected.
"But even with an average of less than three weeks of time on the Play Store, the apps found an audience: the average number of installs for the apps we analysed was 565,833," the research reads.
By September 2019, the developers had changed their tactics and published a batch of 15 apps that had a much slower removal rate. In November 2019, two new apps namely, Rose Photo Editor & Selfie Beauty Camera and Pinut Selife Beauty Camera & Photo Editor were updated with "most of the fraudulent code," to avoid detection, the paper indicated.
The White Ops paper notes that to avoid the malicious ad-bombarding code from being detected, most of these apps used "packers." These packers are hidden in the APK in the form of extra DEX files.
"The bad actor(s) behind this threat tried several packers in the apps, which clearly tells us of their sophistication, resources available, and determination," the research paper reads.
"Historically, packing binaries is a common technique malware developers use to avoid being detected by security software like antivirus. Packed files in Android are not new and can't be assumed to be malicious, as some developers use packing to protect their intellectual property and try to avoid piracy," the paper added.
The second method of avoiding detection comprised using Arabic characters in various places of the apps' source code. This particular methodology of obfuscation essentially helps reducing readability for people not familiar with Arabic, therefore, avoiding further detection.
As mentioned, these apps displayed out-of-context ads and in some cases, they removed app icons that made it difficult for users to uninstall the app from their Android devices. Although Google has removed these 38 apps from the app store, it is likely that they still are installed on several devices.
You can find the full list of app removed from the Google Play store on the researcher's website.
Which is the bestselling Vivo smartphone in India? Why has Vivo not been making premium phones? We interviewed Vivo's director of brand strategy Nipun Marya to find out, and to talk about the company's strategy in India going forward. We discussed this on Orbital, our weekly technology podcast, which you can subscribe to via Apple Podcasts or RSS, download the episode, or just hit the play button below.
Catch the latest from the Consumer Electronics Show on Gadgets 360, at our CES 2026 hub.