Check Point researchers identified a network of Android applications on Google Play masquerading as harmless utility and emoji-editing tools.
But, behind their cheerful icons, these apps created a persistent background advertising engine – one that kept running even after users closed or rebooted their devices, quietly consuming battery and mobile data.
At its peak, the campaign, now dubbed “GhostAd”, included at least 15 related apps, five of which were still available on Google Play at the start of our investigation.
About 75% of targeted users appear to be from East and Southeast Asia, particularly the Philippines, Pakistan, and Malaysia with a smaller portion from other nearby countries and across Europe, Africa and Israel.
This pattern is most likely a reflection of users who have downloaded these kinds of free “utility” apps, rather than an intentional choice by the operator.
Together, these apps accounted for millions of downloads, with one reaching the number position position in Google Play’s “Top Free Tools” category.
Despite their wide reach and intrusive behavior, the apps remained available on Google Play at least since early October, continuing to attract new downloads.
Users quickly began leaving reviews describing problems such as persistent pop-up ads, vanishing app icons when attempting to uninstall, and devices becoming slower or less responsive.
The GhostAd campaign causes noticeable device disruption even without stealing data or showing classic malware behaviour.
It quietly hijacks system resources for ad delivery, leading to performance and usability issues reported by real users.
Key impacts include:
* Battery Drain: Persistent foreground services and job schedulers keep the CPU awake indefinitely, reducing battery life.
* User Deception: Hidden icons and blank notifications disguise the apps’ presence, making removal difficult.
* Reduced Performance: Constant background processes slow down other apps and degrade responsiveness.
GhostAd demonstrates how legitimate advertising infrastructure can be repurposed into a large-scale abuse network – no exploits required.
By chaining foreground services, job schedulers, and continuous ad refresh, the operators created an invisible ad-farm inside users’ phones, generating profit while degrading the device experience. This campaign also underscores the ongoing challenge of detecting gray-zone threats on official app stores.
Check Point notified Google about these applications, and all of the identified apps were removed from the Google Play Store Google Play Protect, which is on by default on Android devices with Google Play Services, automatically disables the identified apps for users who have them installed, regardless of the download source.