Unveiling the hidden threats of app ads: How malware creeps into your phone

In today’s hyper-connected world, mobile apps dominate our digital landscape. With over 57% of apps integrating advertising libraries, app promotion ads have become a cornerstone for app discovery and monetization. However, a recent study unveiled at the NDSS Symposium 2025 has shed light on the dark side of these seemingly innocuous ads. Titled “Careful About What App Promotion Ads Recommend! Detecting and Explaining Malware Promotion via App Promotion Graph”, this research by Shang Ma, Chaoran Chen, Shao Yang, and their team explores how malicious actors exploit app promotion ads to distribute malware and introduces a revolutionary detection framework, ADGPE, to combat this threat.

A growing threat hidden in plain sight

Mobile advertisements have evolved into a significant revenue stream, enabling developers to reach larger audiences. However, inadequate vetting of these ads has opened the door for attackers to infiltrate the ecosystem. According to the study, users who download apps via promotion ads face a malware exposure risk hundreds of times higher than those downloading directly from Google Play. With popular ad networks like Google AdMob, Unity Ads, and AppLovin implicated in these schemes, the threat extends across millions of devices globally.

The researchers demonstrated that malicious developers often embed custom-made ads or manipulate ad libraries to promote aggressive adware, rogue security software, trojans, and fleeceware. This stealthy approach capitalizes on the trust users place in reputable platforms and apps, making it a significant cybersecurity challenge.

Introducing ADGPE: A game-changer in malware detection

To tackle this growing menace, the research team introduced ADGPE, a novel framework that synergizes dynamic app user interface (UI) exploration with graph learning techniques. This approach identifies, analyzes, and explains the promotion mechanisms employed by malicious apps, providing unparalleled insights into the app promotion ecosystem.

ADGPE’s dynamic UI exploration method enables it to navigate complex app interfaces systematically. By uncovering hidden app promotion ads, often missed by traditional static analysis, it ensures broader detection coverage. Furthermore, its graph learning integration constructs a comprehensive app promotion graph, mapping relationships between apps, ad networks, and promoted content. By utilizing advanced graph neural networks, ADGPE achieves an impressive 95.31% F1 score in malware detection, demonstrating its superiority over existing solutions.

Analyzing over 18,000 app promotion ads, the researchers uncovered critical insights into how malware spreads through this ecosystem. Custom-made ads, which are directly embedded within apps by developers, serve as controlled ecosystems to propagate malware. In contrast, ad library-based ads exploit dynamic ad servers, such as AdMob and AppLovin, to distribute malicious content to unsuspecting users. These mechanisms highlight the versatility and reach of malware distributors within the app promotion ecosystem.

ADGPE’s analysis revealed that app promotion ads pose a significantly higher security risk than direct downloads from official marketplaces. The findings underscore the importance of detecting and addressing these threats to ensure user safety.

The practical application of ADGPE identified numerous hidden threats. For instance, trojan apps disguised as photo editors or dictionaries were found to execute malicious activities, such as data theft. Similarly, aggressive adware exploited intrusive advertising practices to collect personal information, while rogue security software falsely claimed to enhance device security while coercing users into unnecessary purchases. These discoveries validate the efficacy of ADGPE and its role in advancing cybersecurity practices.

The need for industry-wide action

This groundbreaking research highlights the urgent need for a collective effort to secure the app promotion ecosystem. Ad networks must implement stricter vetting processes to prevent malicious ads from reaching users. Developers should be held accountable for the content promoted through their apps, ensuring transparency and integrity in their practices. Moreover, educating users about the risks associated with app promotion ads is crucial. By encouraging users to verify app sources and rely on trusted security tools, the industry can foster a safer digital environment.

A vision for the future

Looking ahead, the researchers aim to enhance ADGPE by integrating more sophisticated AI techniques and extending its application to diverse app markets. Long-term monitoring systems could track emerging trends in app promotions, providing continuous updates to the community. Such advancements would solidify ADGPE’s role as a cornerstone in combating ad-based malware and securing the digital ecosystem.

This study not only highlights the alarming misuse of app promotion ads but also offers a robust solution to combat the problem. By bridging the gap between dynamic program analysis and graph learning, ADGPE represents a significant leap forward in safeguarding users from evolving cyber threats. The findings serve as a clarion call for industry stakeholders to prioritize security and collaborate on building a safer digital ecosystem.