“The ad fraud and malvertising scam has spanned 455 malicious Android apps and is linked to 183 threat actor-owned command-and-control domains,” researchers at Human Security report — and at its peak the operation produced as many as 659 million bid requests per day.
How the Trapdoor campaign mechanics work
Human Security calls the operation "Trapdoor." According to the report, the campaign begins with seemingly harmless Android apps — PDF viewers, file managers, device cleanup tools and similar utilities — distributed to victims. After a user downloads one of the 455 malicious apps, the app prompts the user to install multiple fake software updates that deliver a second-stage payload.
That payload, researchers observed, deploys hidden embedded browsers that load malicious HTML5 domains and content behind the scenes. Those invisible browsers generate fake ad impressions, user clicks and ad bid requests without the user's knowledge, funneling fraudulent traffic into advertising exchanges and networks.
Scale, reach, and operational ties
Human Security measured the campaign’s footprint in hard numbers: 455 apps, 183 command-and-control domains, and more than 24 million fraudulent app installs. The operation generated up to 659 million bid requests per day during observed activity and created what researchers described as "a self-sustaining cycle of fraud," in which revenue from prior ads is reinvested into new malvertising campaigns.
While the activity was reported as mostly confined to the United States, researchers also observed traffic in Japan, Australia, Russia, New Zealand, India and several other locations. Portions of Trapdoor’s monetization chain linked out to other ad fraud operations, including Badbox 2.0.
Evasion techniques: impersonation, attribution, and targeted activation
Trapdoor operators used multiple techniques to make fraudulent traffic appear legitimate. The apps simulate realistic user interactions — taps, swipes and scrolling gestures — to trick ad platforms into accepting impressions and clicks. The campaign also "abuses and impersonates legitimate mobile advertising infrastructures" and installs attribution services, tools normally used by legitimate marketers, to blend in with real traffic.
Researchers further reported that the malware checks where downloads originated and restricts malicious behavior to devices that acquired the apps through threat actor-run ad campaigns. The operators suppressed organic downloads, ensuring the fraudulent pipeline ran primarily against targeted, paid-distribution channels.
What this means for advertisers, security teams, and mobile users
- Advertisers and ad platforms: Expect to see inflated bid request volumes and impressions that are difficult to distinguish from legitimate demand because Trapdoor mimics real interaction and uses attribution services. The report’s finding that revenues are recycled into new campaigns — a "self-sustaining cycle of fraud" — means fraudulent spend can perpetuate itself across ad ecosystems.
- Security teams and fraud analysts: Human Security ties the campaign to 455 distinct malicious apps and 183 command-and-control domains; monitoring for those artifacts, hidden embedded browsers, and abnormal installation/update patterns will be central to detection. The campaign’s use of attribution services and suppressed organic installs also suggests defenders should correlate download origin signals with post-install behavior.
- Mobile users: The malicious applications were disguised as routine utilities and pushed fake software updates. Users encountering unexpected update prompts from newly installed utilities should be cautious; in this campaign those prompts delivered the hidden browser payloads that drove widespread malvertising fraud.
Trapdoor illustrates a straightforward but potent model: corrupted apps act as delivery mechanisms for covert browser instances that manufacture ad inventory at scale, then feed the proceeds back into more distribution. The Human Security report leaves a clear technical challenge on the table — how to reliably distinguish sophisticated, simulated interactions and hidden embedded browsers from legitimate human traffic at the scale reported — and the industry of advertisers and defenders will need to show how it can answer that challenge.




