Cybersecurity researchers at HUMAN have uncovered Trapdoor, a sophisticated malvertising operation that utilized 455 malicious Android applications to generate fraudulent ad revenue through hidden WebViews and automated touch activity.

Key Points

• The Trapdoor campaign reached a peak of 659 million daily bid requests and recorded over 24 million total app downloads.
• Malicious apps masqueraded as utility tools, such as PDF viewers, to trick users into installing secondary applications that performed ad fraud.
• Threat actors abused legitimate install attribution tools to selectively activate malicious behavior only for users acquired through specific ad campaigns.
• The operation utilized 183 command-and-control domains and HTML5-based cashout sites to sustain its illicit revenue cycle.
• Google has removed all identified malicious applications from the Play Store following the disclosure by the Satori Threat Intelligence team.

Why it Matters

This operation highlights the growing sophistication of fraudsters who leverage legitimate marketing tools and obfuscation to evade detection while turning everyday app installs into self-funding criminal pipelines. By targeting users through selective activation, these actors successfully bypassed traditional security analysis to compromise millions of devices primarily located in the United States.