Experts have uncovered the Genisys fraudulent network, which has infected 25 million Android devices.
A smartphone sits in a pocket, the screen is off, the owner doesn't use anything, and the device is earning money for scammers. Researchers from IAS Threat Lab have uncovered a Genisys scheme that turned over 25 million devices into a hidden advertising traffic factory .
The team previously described Operation Arcade, where mobile apps secretly opened websites in their built-in browser and inflated traffic. After publication, the researchers continued monitoring and noticed a new infrastructure with different domain and traffic behavior. This led to the discovery of a separate network, dubbed Genisys.
Genisys was embedded directly into regular Android apps . These apps ran background activity without the owner's knowledge, consuming computing resources and internet traffic without providing any benefit. Devices loaded websites in hidden windows within the built-in browser, creating the appearance of real clicks and ad impressions.
The main difference between Genisys and Arcade is the websites. While previously scammers used gaming and entertainment pages, now nearly 500 domains were created using generative tools powered by artificial intelligence . The websites appeared to be blogs, news portals, or information resources, but functioned as a conveyor belt for laundering app traffic.
When viewed at scale, a uniform structure, recurring article templates, and minimal design differences are noticeable. The domain name changes, the logo is distinctive, and the rest is almost identical to that of neighboring sites. Generative tools made it possible to quickly create new sites and regularly change URLs, bypassing traditional detection methods.
Genisys further obfuscated the situation by spoofing app IDs . Traffic to fraudulent domains allegedly came from hundreds of different apps, including those with tens or even hundreds of millions of installations. Analysis revealed that this data was inaccurate. A small group of apps generated hidden activity, while the fake IDs created noise and obscured the true source.
The scheme involved dozens of apps with different names. Many of the programs were disguised as memory cleaners , PDF readers, flashlights, games, and fitness apps. Many of the developers had been implicated in previous violations. After some apps were removed, new ones with similar behavior appeared on the platform.
Genisys rapidly expanded its geographic reach. In September, the majority of activity was recorded in North America, and by the end of the year, traffic was steadily distributed among countries in the Asia-Pacific region, Latin America, and EMEA. Two to three new countries were added each month, indicating targeted scaling.
IAS Threat Lab shared the data with Google. After investigation, the fraudulent versions of the apps were removed from the Google Play store . Google Play Protect began warning device owners and automatically disabling Genisys-related apps, even if the user installed the app from a third-party source.
Following the block, the volume of ad requests from the affected apps dropped by more than 95% and remained near zero. This simultaneous decline demonstrated the centralized nature of the network.
The Genisys story demonstrates a new phase in the development of large-scale advertising fraud . Instead of real websites, attackers build a synthetic ecosystem of hundreds of domains created using artificial intelligence, then disguise the traffic source as hundreds of popular apps. Until platforms and developers systematically block repeat offenders, such schemes will return in updated forms.
A smartphone sits in a pocket, the screen is off, the owner doesn't use anything, and the device is earning money for scammers. Researchers from IAS Threat Lab have uncovered a Genisys scheme that turned over 25 million devices into a hidden advertising traffic factory .
The team previously described Operation Arcade, where mobile apps secretly opened websites in their built-in browser and inflated traffic. After publication, the researchers continued monitoring and noticed a new infrastructure with different domain and traffic behavior. This led to the discovery of a separate network, dubbed Genisys.
Genisys was embedded directly into regular Android apps . These apps ran background activity without the owner's knowledge, consuming computing resources and internet traffic without providing any benefit. Devices loaded websites in hidden windows within the built-in browser, creating the appearance of real clicks and ad impressions.
The main difference between Genisys and Arcade is the websites. While previously scammers used gaming and entertainment pages, now nearly 500 domains were created using generative tools powered by artificial intelligence . The websites appeared to be blogs, news portals, or information resources, but functioned as a conveyor belt for laundering app traffic.
When viewed at scale, a uniform structure, recurring article templates, and minimal design differences are noticeable. The domain name changes, the logo is distinctive, and the rest is almost identical to that of neighboring sites. Generative tools made it possible to quickly create new sites and regularly change URLs, bypassing traditional detection methods.
Genisys further obfuscated the situation by spoofing app IDs . Traffic to fraudulent domains allegedly came from hundreds of different apps, including those with tens or even hundreds of millions of installations. Analysis revealed that this data was inaccurate. A small group of apps generated hidden activity, while the fake IDs created noise and obscured the true source.
The scheme involved dozens of apps with different names. Many of the programs were disguised as memory cleaners , PDF readers, flashlights, games, and fitness apps. Many of the developers had been implicated in previous violations. After some apps were removed, new ones with similar behavior appeared on the platform.
Genisys rapidly expanded its geographic reach. In September, the majority of activity was recorded in North America, and by the end of the year, traffic was steadily distributed among countries in the Asia-Pacific region, Latin America, and EMEA. Two to three new countries were added each month, indicating targeted scaling.
IAS Threat Lab shared the data with Google. After investigation, the fraudulent versions of the apps were removed from the Google Play store . Google Play Protect began warning device owners and automatically disabling Genisys-related apps, even if the user installed the app from a third-party source.
Following the block, the volume of ad requests from the affected apps dropped by more than 95% and remained near zero. This simultaneous decline demonstrated the centralized nature of the network.
The Genisys story demonstrates a new phase in the development of large-scale advertising fraud . Instead of real websites, attackers build a synthetic ecosystem of hundreds of domains created using artificial intelligence, then disguise the traffic source as hundreds of popular apps. Until platforms and developers systematically block repeat offenders, such schemes will return in updated forms.
