An Android-based mobile fraud operation designed to milk ad revenues from AI-generated shell websites has been shut down by Google and ad verification firm Integral Ad Science (IAS). The scheme was executed through more than 25 million consumer devices.
Throughout late 2025, the scheme, dubbed Genisys, used over 115 distinct mobile apps to propagate fraudulent ad activity. When users downloaded an affected app—most of which were basic utility apps like QR code scanners, PDF readers, or WiFi detectors—secret in-app browsers covertly pushed traffic to nearly 500 AI-generated domains in order to monetize ad engagement.
Affected apps were generally basic single-function tools like flashlights, PDF converters, or wallpaper providers. The websites generally looked like blogs, news publishers, or informational sites.
Many of the AI-generated domains were designed to look like generic, informative sites.
Not only did the operation hijack users’ devices without their knowledge it also led to wasted investment for many advertisers whose messages were not shown to real people. IAS Threat Lab was unable to quantify the total ad spend wasted by the scheme, but determined that its traffic generated millions of bid requests, leading advertisers to serve ads against bot traffic.
Hadi Shiravi, a senior engineering manager at IAS Threat Lab, warned that AI is being used to quickly set up and aggressively expand these fraud schemes. “These are scales we haven’t seen before,” Shiravi said. “It’s very easy for them to spin up these domains, scale them and at a very low cost,” Shiravi added.
Plus, technical advancements are making it easier for AI-generated content to bypass standard monitoring techniques employed by ad exchanges and supply-side platforms.
To further obscure the activity and avoid detection, fraudsters misrepresented bundle IDs, unique codes used to identify specific apps. Instead of displaying their real bundle IDs, the fraudulent apps showed the IDs of a wide range of real, popular apps—like Netflix and Instagram—to suggest that the traffic going to the shell websites was legitimate. Some of the domains showed upwards of 300 app bundle IDs generating traffic.
