Google and Integral Ad Science (IAS) have identified and removed large volumes of invalid traffic from its ad systems after detecting patterns inconsistent with real user behaviour. The scheme, called Genisys, constructed a web of nearly 500 AI-generated publisher sites to receive and legitimise fabricated traffic, and effectively launder fake impressions through the programmatic ecosystem.
More than 25 million Android devices were compromised globally throughout late 2025. APAC accounts for around 33% of Genisys activity, spanning India, the Philippines, Indonesia, South Korea, Malaysia, Japan, Thailand, Australia, Vietnam, and Singapore.
“This was not a simple bot network; it was a coordinated ecosystem designed to simulate legitimate supply at scale, from synthetic publisher environments to sophisticated traffic misattribution tactics,” said Hadi Shiravi, senior manager of engineering threat intelligence at IAS.
What set Genisys apart was its use of generative AI to fabricate domains from scratch. It easily mass-produced blog-style and news-style sites that were never built for real audiences. And then layered this with extensive app bundle ID spoofing, masking bot traffic as inventory from legitimate, widely installed apps.
Genisys first surfaced in September 2025 and targeted only North America initially via 115 seemingly benign apps—utility tools, PDF readers and casual games. Malicious processes ran in the background without user consent, that diverted processing power and network resources to generate traffic. Some of these apps had install counts as high as five million users in APAC alone.
How detection unfolded
Google’s internal systems flagged anomalies over time as per suspicious patterns in user agents, IP addresses and engagement data. Detection involved behavioural analysis of the velocity, repetition patterns and cross-network inconsistencies of these anomalies. In an AI-enabled environment, IAS notes, domain names, bundle IDs and install counts can be fabricated or scaled synthetically, but behavioural signals are harder to falsify convincingly.
IAS Threat Lab also identified repeat-offender developer accounts, including one that had published 13 abusive apps. Even as apps were removed, new low-effort utilities surfaced from the same profiles, underscoring the operation’s resilience.
Since the takedown, bid request volumes linked to Genisys have dropped by more than 95%. Google Play Protect will automatically disable affiliated apps, including sideloaded versions. A Google spokesperson said the move forms part of its ongoing effort to protect “people and businesses from abuse,” adding that collaboration with IAS and other partners is critical as tactics evolve.
A Google spokesperson said the action was part of its ongoing effort to protect "people and businesses from abuse." They added: "Bad actors are constantly changing tactics, which is why we collaborate with IAS and others across the industry to disrupt fraud networks."
For brands and agencies, IAS recommends stricter supply-path discipline and a pre-bid and post-bid invalid traffic investigation in tandem. It also calls for greater platform-level coordination, transparent invalid traffic reporting and clear takedown protocols when anomalies surface.
"As fraud becomes more adaptive, detection must become intelligence-led, behaviour-based, and ecosystem-driven," Shiravi added.
Campaign previously reported that Arcade, another major ad-fraud scheme, used hidden domains exploiting gaming and entertainment sites.
Source: Campaign Asia-Pacific
