News
July 29, 2025
In 2025, mobile security threats have evolved dramatically, exploiting the spread of Android apps, BYOD, and reliance on official marketplaces. The IconAds, mobile fraud operation represents a case in point: more than 350 infected Android apps, 1.2 billion fraudulent ad requests per day, and an adaptive capability that has been overcoming Play Store controls for years.
But IconAds is just the tip of the iceberg. The mobile ecosystem is becoming a breeding ground for malware capable of generating advertising, financial and identity theft fraud. It is time for IT decision makers to address mobile security with a mature, structured and proactive approach.
IconAds presents itself as a highly organized mobile ad fraud operation. The apps involved, also published in the Google Play Store, hide the icon from the launcher and display out-of-context advertisements that are part of mobile ad fraud campaigns. This behavior reduces usability, hinders app removal, and, most importantly, generates illicit ad revenue.
Some apps even go so far as to simulate the icon of the Play Store or official Google apps to induce the user to click and trigger fraudulent activity in the background.
To avoid expert analysis, IconAds disables malicious features if it detects that the app was installed from unofficial sources (sideloading). A resilient, dynamic network that is difficult to dismantle, with a massive fraudulent traffic base, particularly from Brazil, Mexico, and the United States.
In parallel, another campaign known as Kaleidoscope exploits a deceptive technique: twin deception.
Two nearly identical versions of the same app are distributed:
The malicious app generates invasive ads and fraudulent ad traffic, but it exploits the same app ID as the legitimate version. The result is a flow of illicit earnings and, at the same time, a compromise of device performance and the reputation of the real developers.
This technique, born out of the earlier “Konfety” scheme, has been adopted by groups active in Latin America, Turkey, Egypt, and India, where the use of unofficial stores is widespread.
Mobile fraud today does not stop at advertising. Malware such as NGate, SuperCard X and Ghost Tap use NFC technology to hijack contactless card signals and generate fraudulent transactions remotely, bypassing normal security controls.
Added to this are campaigns such as Qwizzserial, which has infected over 100,000 devices in Uzbekistan by intercepting bank SMS messages and credentials, and SparkKitty, spyware active in Asia that uses OCR to search for images containing crypto wallet recovery phrases.
Many CISOs and IT managers underestimate the mobile perimeter, focusing resources on desktop endpoints and cloud infrastructure. But today, the biggest risks can come from:
A mobile policy should include:
Mobisec supports you with: