Update: Republished on May 10 with new warnings into high-risk apps.
A serious threat to Android users has been revealed today, with as many as 2.5 million dangerous apps being installed each and every month. The apps have a nasty trick that fools users into the initial download, and once on a phone, the damage is done. There’s a new list of apps to delete, but there’s also a simple warning that will help keep you safe.
The new report comes courtesy of Integral Ad Science, the same team that warned of the “Vapor” attacks on Android phones in March. This new threat is dubbed “Kaleidoscope — due to its constant transformations as it tries to evade detection and analysis.” The name has changed but the threat is broadly the same.
The cyber criminals behind this latest ad fraud machine plant benign apps on Google’s Play Store that contain none of their malicious code. They then distribute malicious replicas of those apps through third-party app stores and direct installs. Users are directed to those duplicates via messaging and social media channels. To users, it seems that they’re downloading a legitimate app through an ad or promotion. And to advertisers, it seems their ad impressions are coming from legitimate apps.
The attackers’ payday comes via those advertisers who have no idea their ads are being pushed out at an industrial scale to infected phones, where they disrupt the normal use of the phone to generate impressions which turn to cash. “The malicious app delivers intrusive out-of-context ads under the guise of the benign app ID in the form of full-screen interstitial images and videos, triggered even without user interaction.”
The SDK driving this malicious behavior has been updated and has now even been retrospectively added into apps that were previously caught doing the same. They now have a differently named SDK at their core. The infected apps are on this list.
This type of threat is well established. A year ago, I reported on the “evil twin” attacks flagged by Human Security, which warned that the “Konfety” ad fraud operation had deployed as many as 250 decoy apps on Play Store. Those legitimate and malicious apps shared a common “CaramelSDK” reference which aided detection and mitigation. Those references have been removed, albeit the original threat itself has not gone away.
IAS says it “analyzed both earlier and newer versions of benign and malicious variants associated with this scheme, examining previously known apps as well as newly discovered ones involved in this evolving threat.”
Google has removed flagged apps from Play Store and assures Play Protect will safeguard users from known versions of the threat. But this is a sideloading problem and an industry problem. “The entities behind Kaleidoscope have successfully identified a network of resellers who are not particularly diligent in vetting the quality of the inventory they deliver to advertisers, enabling them to effectively launder their traffic.”
Advice on staying safe is simple. If you’re in the habit of sideloading, then scan the list of infected apps and delete any you recognize. Then take care on how many such third-party or direct installs you allow onto your phone.
Sideloading has never been more under threat than now. It remains one of the key differentiators between Android and iPhone, notwithstanding Apple has again just been given 90 days to allow sideloading in Brazil. This follows the more significant EU ruling in Europe and the more material (financially at least) Epic Games ruling in the U.S.
Google has clamped down on sideloading in Android 15, making it harder at least. And Samsung has gone further with One UI 7, its Android 15 wrap, expanding its default maximum restrictions to do all it can to deter users from installs outside main stores.
“I no longer seem to be bothered about the ability to sideload apps,” explained one newspaper columnist this weekend. “It’s just too risky in 2025, and I’ve heard the same from quite a few Android loyalists who now stay away from sideloading for one specific reason — security.” And this despite that same columnist “picking the OnePlus 13, my current daily driver, for multiple reasons; primarily for the fact that it’s an Android-powered device that allows sideloading.”
Sideloading makes this type of ad fraud possible. It relies on users downloading the malicious replica apps from direct links or third-party stores, and whole there’s a Play Store dimension to this, it’s those replica installs that do all the damage.
When Europe pushed Apple to open up to other app stores, the iPhone-maker warned the change “brings greater risks to users and developers. This includes new avenues for malware, fraud and scams, illicit and harmful content, and other privacy and security threats. These changes also compromise Apple’s ability to detect, prevent, and take action against malicious apps on iOS and iPadOS, and to support users impacted by issues with apps downloaded outside of the App Store.”
This latest threat presents those risks, “a sophisticated evolution in ad fraud,” IAS says, “where threat actors continually adapt to evade detection and extend the scheme’s reach. By rebranding their SDKs, shifting command-and-control infrastructure, and embedding malicious capabilities into benign-appearing applications, these threat actors demonstrate a relentless focus on circumventing defenses.”
