Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
Trapdoor Android Fraud Scheme Hijacks 659 Million Daily Requests

Trapdoor Android Fraud Scheme Hijacks 659 Million Daily Requests

Posted on May 19, 2026 By CWS

Researchers have revealed a sophisticated ad fraud and malvertising scheme dubbed ‘Trapdoor,’ targeting Android users. This operation, scrutinized by HUMAN’s Satori Threat Intelligence and Research Team, involved 455 malicious Android applications and 183 domains controlled by threat actors. The setup functioned as a conduit for multi-stage fraudulent activities.

How Trapdoor Operated

The Trapdoor scheme involved unsuspecting users downloading apps, often utilities like PDF viewers or cleanup tools, owned by threat actors. These applications initiated malvertising efforts, prompting users to download additional apps. These secondary applications launched hidden WebViews, accessed HTML5 domains owned by the attackers, and generated ad requests.

The self-sustaining nature of the campaign allowed organic app installs to evolve into revenue-generating cycles, funding further malvertising efforts. The use of HTML5 cashout sites in this scheme mirrors patterns observed in past threats such as SlopAds and BADBOX 2.0.

Impact and Reach of the Scheme

At its peak, Trapdoor was responsible for 659 million daily bid requests, with over 24 million downloads of Android apps linked to the scheme. The majority of the traffic originated from the U.S., accounting for more than 75% of the total volume.

Trapdoor’s operators exploited install attribution tools, enabling malicious activity only for users acquired through their campaigns while suppressing it for organic downloads. This dual strategy combined malvertising with hidden ad fraud, where legitimate-looking apps served as a platform for deploying malicious ads.

Response and Future Outlook

Google has acted to dismantle the Trapdoor operation by removing all identified malicious apps from the Google Play Store, following responsible disclosure. The complete list of these apps has been made available to the public.

As highlighted by Lindsay Kaye, vice president of threat intelligence at HUMAN, the operation employed sophisticated techniques to blend in with legitimate software, using obfuscation and anti-analysis methods to avoid detection.

Gavin Reid, chief information security officer at HUMAN, emphasized how fraudsters leverage legitimate tools and software to sustain their fraudulent activities. The ongoing efforts of the Satori team aim to counteract these evolving threats.

The Hacker News Tags:ad fraud, Android security, anti-analysis techniques, app installs, Cybersecurity, Google Play Store, HTML5 domains, Malvertising, mobile security, Satori Threat Intelligence, Threat Actors, Trapdoor scheme

Post navigation

Previous Post: JavaScript and PowerShell Malware Targets Cryptocurrency
Next Post: Kimsuky Hackers Exploit LNK, JSE Lures Against Key Sectors

Related Posts

94% of Cyber Incidents Involve Anonymized Networks 94% of Cyber Incidents Involve Anonymized Networks The Hacker News
Stealit Malware Abuses Node.js Single Executable Feature via Game and VPN Installers Stealit Malware Abuses Node.js Single Executable Feature via Game and VPN Installers The Hacker News
VoidLink Linux Malware Framework Built with AI Assistance Reaches 88,000 Lines of Code VoidLink Linux Malware Framework Built with AI Assistance Reaches 88,000 Lines of Code The Hacker News
AI Agents Outpacing Governance: A Growing Challenge AI Agents Outpacing Governance: A Growing Challenge The Hacker News
Researcher Found Flaw to Discover Phone Numbers Linked to Any Google Account Researcher Found Flaw to Discover Phone Numbers Linked to Any Google Account The Hacker News
Microsoft Reveals Cookie-Based PHP Web Shell Threats Microsoft Reveals Cookie-Based PHP Web Shell Threats The Hacker News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • PamStealer Targets macOS Users via Fake Clipboard Manager
  • New FatFs Vulnerabilities Threaten Embedded Devices
  • Fake Installers Deploy SharkLoader Malware in Networks
  • Critical Vulnerabilities in FatFs Impact Millions of Devices
  • Hackers Exploit Blogspot and PowerShell for Data Theft

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • PamStealer Targets macOS Users via Fake Clipboard Manager
  • New FatFs Vulnerabilities Threaten Embedded Devices
  • Fake Installers Deploy SharkLoader Malware in Networks
  • Critical Vulnerabilities in FatFs Impact Millions of Devices
  • Hackers Exploit Blogspot and PowerShell for Data Theft

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark