A new Android ad fraud and malvertising operation called Trapdoor has targeted users through 455 malicious apps and 183 threat actor-owned command-and-control domains, according to a technical analysis by HUMAN’s Satori Threat Intelligence and Research Team.
KEY FACTS
- Scale The campaign reached a peak of 659 million bid requests a day.
- Install base Apps tied to the scheme were downloaded more than 24 million times.
- Technique The operation used utility-style apps, hidden WebViews and HTML5 cashout domains.
- Focus More than three-fourths of the traffic came from the United States.
- Response Google removed the identified malicious apps from the Play Store after disclosure.
Researchers said the scheme used bogus apps that posed as everyday tools such as PDF viewers and device cleanup apps. Once installed, the apps pushed fake update prompts and steered users toward additional threat actor-controlled apps.
The second-stage apps launched hidden WebViews, loaded attacker-controlled HTML5 domains and requested ads. The report said only those second-stage apps triggered fraud, while apps installed directly from the Play Store or by sideloading did not.
The disclosure said the actors also used install attribution tools to activate malicious behavior only for users acquired through their ad campaigns. It said the operation combined malvertising distribution, hidden ad fraud monetization and multi-stage malware delivery, along with obfuscation and anti-analysis methods designed to evade detection.
Human said the campaign appeared to be self-sustaining because legitimate app installs could be turned into revenue for further malvertising. The report linked the use of HTML5-based cashout sites to earlier fraud clusters tracked as SlopAds, Low5 and BADBOX 2.0.
WHY IT MATTERS
Trapdoor shows how Android apps can be used to generate ad fraud at scale while hiding from casual review. The case also highlights how legitimate marketing tools and ordinary utility apps can be repurposed in campaigns that are hard to spot and remove.