Share on LinkedIn
Share on XExecutive Summary
The IAS Threat Lab is a dedicated team within Integral Ad Science (IAS) focused on uncovering, dissecting, and mitigating sophisticated ad-fraud schemes and malicious digital-advertising behavior. The team’s latest discovery, Arcade, reveals a growing monetization pattern within the open web’s gaming ecosystem. A large cluster of HTML5 gaming domains, all active and fully functional, are monetizing their ad supply through hidden in-app browser activity sourced from fraudulent Android applications. These gaming domains receive real ad requests and deliver playable content, but the traffic itself never comes from visible users. Instead, it originates from background-rendered browser tabs embedded inside Android utilities and lightweight gaming apps.
The IAS Threat Lab identified 50 Android apps with a combined 10 million installs, collectively driving traffic to a network of more than 200 HTML5 gaming domains. The HTML5 games are legitimate and responsive, yet typically unseen by human users. IAS’s fraud detection systems identified unusual background rendering and domain iteration behavior, enabling early intervention before the campaign reached full scale.
An Invisible Arcade of Real Games
The domains at the heart of this scheme are deceptively authentic. Each hosts playable, browser-based games, complete with interactive interfaces and advertising frameworks. The domain names frequently contain gaming-related keywords such as “game” or “play” and appear innocuous to verification systems because the pages load correctly and function as intended. When traffic is reviewed on the surface, everything points to legitimate gaming engagement.
However, behind this facade, fraudulent Android apps continuously load these pages in invisible in-app browser tabs, generating a constant stream of ad impressions. The pages are not user-facing, and the activity occurs silently while the app performs unrelated tasks. One analyzed app cycled through hundreds of domains in sequence, creating persistent, automated inventory that appeared indistinguishable from genuine gameplay sessions.
How the Scheme Activates
Arcade’s activation framework builds on the same cloaking principles first disclosed by IAS in Mirage. In that earlier operation, apps concealed their ad fraud logic until certain install conditions were met, allowing them to appear legitimate in standard testing environments. Arcade applies this same approach.
When installed directly from app stores, Arcade-linked apps behave normally and show no signs of suspicious behavior. The ad fraud components only activate when the app identifies that it has been installed through a paid ad campaign or referral flow.
This determination is made using attribution SDKs (Appsflyer SDK), which reports the method of installation to the app. If the install is confirmed to be campaign-driven, the app communicates with a remote command-and-control server, transmitting device and referral data in custom headers. When these headers meet strict validation checks, the server responds with an encrypted payload, which the app decrypts and loads dynamically. The decrypted code enables hidden in-app browser tabs to render HTML5 gaming domains in the background and, in many cases, activates out-of-context ad delivery as a secondary monetization path
Because this payload is delivered only to targeted devices, the apps remain clean under normal review conditions. Many samples also include anti-analysis safeguards designed to detect virtualized or sandboxed environments and suspend execution, further complicating detection efforts.
Monetization at Two Levels
Once activated, apps under the Arcade cluster monetize through two distinct yet complementary mechanisms. The first is hidden traffic generation, which uses the network of gaming domains as a monetization endpoint. These domains serve as the true beneficiaries, selling inventory created by invisible sessions within the apps. The second is out-of-context advertising, a recurring behavior seen in earlier IAS investigations such as Vapor and Mirage, where apps run unexpected full-screen or interstitial ads appearing outside normal engagement flows.
This dual structure allows threat actors to extract revenue from both visible and invisible ad surfaces. While the visible ads frustrate users, the invisible gaming sessions serve as the far greater financial engine.
Distribution and Geographic Shifts
Arcade’s early activity was concentrated in Western markets, primarily the United States, Brazil, and Canada. Over time, the campaigns have migrated toward Asia-Pacific regions. By September 2025, installs and traffic were dominated by Turkey, Vietnam, the Philippines, Thailand, Indonesia, and Malaysia. These countries now comprise nearly half of all detected Arcade traffic, indicating a deliberate redirection of campaign targeting.
Among the identified apps, Street King Vacano (com.txt.streetking.vacano) a lightweight gaming app exemplifies Arcade’s scaling model. The app achieved top chart positions, including #1 Top New Free, in several markets and reached over 1 million installs in less than one month.
Detection and Outlook
Arcade is anything but subtle. The volume of traffic attributed to this operation points to a well-resourced and coordinated effort, capable of producing and maintaining a myriad of Android apps and gaming domains at industrial scale. The threat actors behind Arcade have invested heavily in development infrastructure, domain acquisition, and continuous app deployment, allowing them to sustain large amounts of fraudulent traffic that blend into the broader gaming ecosystem.
IAS fraud detection systems identified the operation through a combination of behavioral anomaly analysis and domain traversal pattern recognition. Repeated, rapid page loads and non-interactive rendering events exposed the activity as non-human.
The ongoing investigation continues to map the infrastructure of developer accounts and associated domain operators behind the scheme. While the current set includes 200 gaming domains and 50 apps, the modular nature of Arcade’s framework suggests that new domains can easily be added as others are blocked.
Conclusion
Arcade demonstrates how legitimate web content can be reappropriated into a hidden monetization layer. The gaming domains themselves are central to this operation, earning revenue from traffic that no human ever generates. Android apps function as the traffic engine, quietly delivering ad requests that fund the ecosystem behind them.
By detecting and removing these apps and domains from the advertising supply chain, IAS effectively cuts off the operation’s financial lifeline, preventing further monetization and neutralizing the resources that fuel its continued growth.
IAS Threat Lab remains committed to uncovering and disrupting evolving monetization schemes before they reach advertisers’ budgets. Learn more about our AI-powered approach to combatting fraud pre- and post-bid.
