Researchers have revealed a sophisticated ad fraud and malvertising scheme dubbed ‘Trapdoor,’ targeting Android users. This operation, scrutinized by HUMAN’s Satori Threat Intelligence and Research Team, involved 455 malicious Android applications and 183 domains controlled by threat actors. The setup functioned as a conduit for multi-stage fraudulent activities.
How Trapdoor Operated
The Trapdoor scheme involved unsuspecting users downloading apps, often utilities like PDF viewers or cleanup tools, owned by threat actors. These applications initiated malvertising efforts, prompting users to download additional apps. These secondary applications launched hidden WebViews, accessed HTML5 domains owned by the attackers, and generated ad requests.
The self-sustaining nature of the campaign allowed organic app installs to evolve into revenue-generating cycles, funding further malvertising efforts. The use of HTML5 cashout sites in this scheme mirrors patterns observed in past threats such as SlopAds and BADBOX 2.0.
Impact and Reach of the Scheme
At its peak, Trapdoor was responsible for 659 million daily bid requests, with over 24 million downloads of Android apps linked to the scheme. The majority of the traffic originated from the U.S., accounting for more than 75% of the total volume.
Trapdoor’s operators exploited install attribution tools, enabling malicious activity only for users acquired through their campaigns while suppressing it for organic downloads. This dual strategy combined malvertising with hidden ad fraud, where legitimate-looking apps served as a platform for deploying malicious ads.
Response and Future Outlook
Google has acted to dismantle the Trapdoor operation by removing all identified malicious apps from the Google Play Store, following responsible disclosure. The complete list of these apps has been made available to the public.
As highlighted by Lindsay Kaye, vice president of threat intelligence at HUMAN, the operation employed sophisticated techniques to blend in with legitimate software, using obfuscation and anti-analysis methods to avoid detection.
Gavin Reid, chief information security officer at HUMAN, emphasized how fraudsters leverage legitimate tools and software to sustain their fraudulent activities. The ongoing efforts of the Satori team aim to counteract these evolving threats.
