Attackers figured out a way to hide the apps’ icons from the launcher

Check Point researchers uncover a large-scale Android adware campaign that silently drains resources and disrupts normal phone use through persistent background activity.

During an internal threat-hunting investigation, Check Point Harmony Mobile Detection Team identified a network of Android applications on Google Play masquerading as harmless utility and emoji-editing tools.

Behind their cheerful icons, these apps created a persistent background advertising engine – one that kept running even after users closed or rebooted their devices, quietly consuming battery and mobile data.

At its peak, the campaign, now dubbed “GhostAd”, included at least 15 related apps, five of which were still available on Google Play at the start of our investigation. Most targeted users appear to be from East and Southeast Asia, particularly the Philippines, Pakistan, and Malaysia.

Key findings

The campaign features at least 331 apps that were available via the Google Play Store (15 were still online when the research was completed), gathering more than 60 million downloads.

Attackers figured out a way to hide the apps’ icons from the launcher, which is restricted on newer Android iterations. 

The apps have some functionality in most cases, but they can show out-of-context ads over other applications in the foreground, bypassing restrictions without using specific permissions that allow this behavior.

Some apps have tried to collect user credentials for online services, and even credit card data, via phishing attacks.

The apps can start without user interaction, even though this should not be technically possible in Android 13.

The campaign seems to either be the work of one actor, or multiple criminals using the same packaging tool sold on black markets.

User Experience: “It Takes Over Your Phone Like a Virus”

As always, the user reviews told the real story. Across multiple listings, frustrated users described how the apps flooded their phones with invisible activity and constant interruptions:

“It’s the worst app I’ve ever used – it disturbs my privacy and takes over other apps for ads.”

“Do not install this app! It will block you from using your phone with annoying pop-ups every 10 seconds.”

“WORST APP EVER. It disappears when you try to uninstall it, while pouring lots and lots of ads in your phone.”

These comments highlight the hidden persistence that defines the GhostAd campaign — adware that doesn’t just display ads but embeds itself deeply into the system, running long after the user thinks it’s gone.

By - Aaradhay Sharma