Cybersecurity researchers have unveiled a sophisticated ad fraud and malvertising operation known as Trapdoor, which is specifically targeting users of Android devices. This operation, identified by HUMAN’s Satori Threat Intelligence and Research Team, involves a staggering 455 malicious Android applications and 183 command-and-control (C2) domains owned by threat actors, creating a complex infrastructure for multi-stage fraud.
Mechanics of the Trapdoor Operation
According to the research team, users often unknowingly download these malicious apps, which are typically disguised as utility applications such as PDF viewers or device cleanup tools. Once installed, these apps initiate malvertising campaigns that pressure users into downloading additional malicious applications. The secondary apps then open hidden WebViews, load threat actor-controlled HTML5 domains, and request advertisements.
This self-sustaining campaign transforms organic app installations into a continuous revenue-generating cycle, which can subsequently fund further malvertising efforts. A notable feature of this operation is the use of HTML5-based cashout sites, a tactic previously observed in other threat clusters like SlopAds, Low5, and BADBOX 2.0.
At the height of its activity, Trapdoor was responsible for an astonishing 659 million bid requests per day, with Android apps linked to the operation being downloaded over 24 million times. The majority of the traffic associated with this campaign originated from the United States, accounting for more than 75% of the total volume.
Exploiting Attribution Tools
The threat actors behind Trapdoor have also been found to exploit install attribution tools—technologies designed to assist legitimate marketers in tracking user acquisition. This manipulation allows malicious activities to be activated only for users acquired through threat actor-run ad campaigns, while suppressing such behavior for those who download the apps organically.
Trapdoor ingeniously merges two distinct strategies: malvertising distribution and hidden ad-fraud monetization. Unsuspecting users end up downloading fraudulent applications that masquerade as benign utilities, serving as conduits for delivering malicious ads for other Trapdoor apps. These apps are engineered to execute automated touch fraud, launch hidden WebViews, load threat actor-controlled washout domains, and request advertisements.
It is crucial to note that only the second-stage app is responsible for triggering fraudulent activities. When the organically downloaded app is launched, it generates deceptive pop-up alerts that mimic legitimate app update notifications, tricking users into installing the next-stage app. This selective activation strategy ensures that only those who fall prey to the advertising campaign are targeted, leaving users who download the app directly from the Play Store or sideload it unaffected.
Advanced Evasion Techniques
Trapdoor employs a variety of anti-analysis and obfuscation techniques to evade detection. As Lindsay Kaye, vice president of threat intelligence at HUMAN, explains, “This operation utilizes real, everyday software and multiple methods of obfuscation—such as impersonating legitimate SDKs—to seamlessly integrate malvertising distribution, hidden ad fraud monetization, and multi-stage malware distribution.”
In response to the responsible disclosure of this operation, Google has taken decisive action to remove all identified malicious apps from the Google Play Store, effectively neutralizing the threat. A comprehensive list of the affected Android apps is available for review.
Gavin Reid, chief information security officer at HUMAN, remarked, “Trapdoor exemplifies how determined fraudsters convert everyday app installations into a self-sustaining pipeline for malvertising and ad fraud. This case highlights the ongoing challenge of threat actors co-opting legitimate tools—such as attribution software—to facilitate their fraudulent campaigns and evade detection.”
As these actors continue to evolve by linking utility apps, HTML5 cashout domains, and selective activation techniques that remain hidden from researchers, the Satori team is dedicated to tracking and disrupting their activities on a large scale.
