Skip to main content
Emerging ThreatsMalware & Ransomware

Trapdoor Android Ad Fraud Scheme Exposes 455 Malicious Apps

Smartphone lies on a park bench surrounded by scattered papers and app icons, with a city street in the background.

At its peak, Trapdoor accounted for 659 million bid requests a day, a volume generated by a network of malicious Android apps and web infrastructure that turned routine installs into a self-sustaining ad-fraud machine.

HUMAN Satori Threat Intelligence and Research Team findings

Cybersecurity researchers at HUMAN’s Satori Threat Intelligence and Research Team disclosed the operation and shared a report with The Hacker News describing an ad fraud and malvertising campaign dubbed “Trapdoor.” According to the team, the activity involved 455 malicious Android apps and 183 threat actor-owned command-and-control (C2) domains, creating “a pipeline for multi-stage fraud.” The researchers named in the report are Louisa Abel, Ryan Joye, João Marques, João Santos, and Adam Sell.

How the multi-stage infection and monetization chain worked

Trapdoor relied on a two-stage app chain and selective activation to hide its fraud. The initial apps — often utility-style offerings such as PDF viewers or device cleanup tools — were distributed to users who then encountered fake pop-up alerts that mimicked app update messages to coax them into installing a second, threat actor-owned app. As the report explains, “These apps trigger malvertising campaigns that coerce users into downloading additional threat actor-owned apps. The secondary apps launch hidden WebViews, load threat actor-owned HTML5 domains, and request ads.”

Only the second-stage app is used to trigger the fraudulent activity, the researchers wrote, meaning that “anybody who downloads the app directly from the Play Store or sideloads it will not be targeted.” That selective activation — combined with anti-analysis and obfuscation techniques — helped the operation evade automated detection and researcher scrutiny.

HTML5 cashout sites, attribution abuse, and impersonation

HUMAN highlighted several techniques that amplified Trapdoor’s effectiveness. The operation used HTML5-based cashout domains — a monetization pattern that the report links to prior clusters tracked as SlopAds, Low5, and BADBOX 2.0 — to collect ad revenue from hidden WebViews. The threat actors also “abuse install attribution tools (technology designed to help legitimate marketers track how users discover apps) to enable malicious behavior only in users acquired through threat actor-run ad campaigns, while suppressing it for organic downloads of the associated apps,” the company said.

The report further notes that the malicious apps employed obfuscation to blend in, “such as impersonating legitimate SDKs to blend in,” and used other anti-analysis methods to frustrate detection and research efforts.

Scale, geography, and remediation

HUMAN reported that Android apps linked to the Trapdoor scheme were downloaded more than 24 million times. Traffic associated with the campaign originated primarily from the United States, which accounted for “more than three-fourths of the traffic volume.” At the operation’s peak, the infrastructure generated 659 million bid requests per day.

Following responsible disclosure from HUMAN, Google removed all identified malicious apps from the Google Play Store, effectively neutralizing the operation, the report states. The researchers note that the “complete list of Android apps is available here.”

How technologists, policymakers, and end users are affected

  • Technologists and security teams: Watch for abuse of attribution tools, hidden WebViews loading HTML5 cashout domains, and multi-stage app chains that only activate fraud for users acquired through ad campaigns. The operation’s use of impersonated SDKs and anti-analysis techniques underscores the need for behavioral and attribution-aware detection.
  • Policymakers and platform overseers: The campaign demonstrates how malvertising and app-distribution ecosystems can be chained into self-funding fraud operations. Notably, Google removed the identified apps from the Play Store after responsible disclosure, showing platform-level remediation is possible but dependent on detection and reporting.
  • End users: The initial lure often came from everyday utility-style apps (PDF viewers, device cleaners) and fake update pop-ups that prompt a second installation. Users should be cautious about unexpected prompts to install companion apps and understand that an app downloaded legitimately may still be used as a vector for follow-on malicious installs and fraud.

“Trapdoor shows how determined fraudsters turn everyday app installs into a self-funding pipeline for malvertising and ad fraud,” Gavin Reid, chief information security officer at HUMAN, said. Lindsay Kaye, vice president of threat intelligence at HUMAN, added that “this operation uses real, everyday software and multiple obfuscation and anti-analysis techniques - such as impersonating legitimate SDKs to blend in - to help fuse malvertising distribution, hidden ad fraud monetization, and multi-stage malware distribution.”

The human cost in attention and platform trust — and the technical creativity displayed by the operators — are plain in the numbers: millions of downloads, hundreds of millions of daily ad-bid requests, and infrastructure that deliberately hides its behavior from organic users and researchers. The remediation step taken by Google removed the immediate threat, but the techniques described — HTML5 cashout pages, attribution abuse, and selective activation — are modular and reusable, posing a clear challenge for detection and ad-ecosystem governance going forward.

Original report at The Hacker News