Trapdoor Android Ad Fraud Scheme Hit 659 Million Daily Bid Requests Using 455 Apps

Trapdoor Android Ad Fraud Scheme Hit 659 Million Daily Bid Requests Using 455 Apps

Trapdoor Android Ad Fraud Scheme Hit 659 Million Daily Bid Requests Using 455 Apps

Ravie LakshmananMay 19, 2026Malvertising / Mobile Security

Cybersecurity researchers have disclosed details of a new ad fraud and malvertising operation dubbed Trapdoor targeting Android device users.

The activity, per HUMAN's Satori Threat Intelligence and Research Team, encompassed 455 malicious Android apps and 183 threat actor-owned command-and-control (C2) domains, turning the infrastructure into a pipeline for multi-stage fraud.

"Users unwittingly download a threat actor-owned app, often a utility-style app like a PDF viewer or device cleanup tool," researchers Louisa Abel, Ryan Joye, João Marques, João Santos, and Adam Sell detailed in a report shared with The Hacker News.

"These apps trigger malvertising campaigns that coerce users into downloading additional threat actor-owned apps. The secondary apps launch hidden WebViews, load threat actor-owned HTML5 domains, and request ads."

The campaign, the cybersecurity company added, is self-sustaining in that an organic app install turns into an illicit revenue generation cycle that can be used to fund follow-on malvertising campaigns. One notable aspect of the activity is the use of HTML5-based cashout sites, a pattern observed in prior threat clusters tracked as SlopAds, Low5, and BADBOX 2.0.

At the peak of the operation, Trapdoor accounted for 659 million bid requests a day, with Android apps linked to the scheme downloaded more than 24 million times. Traffic associated with the campaign primarily originated from the U.S., which took up more than three-fourths of the traffic volume.

"The threat actors behind Trapdoor also abuse install attribution tools  (technology designed to help legitimate marketers track how users discover apps) to enable malicious behavior only in users acquired through threat actor-run ad campaigns, while suppressing it for organic downloads of the associated apps," HUMAN said.

Trapdoor combines two disparate approaches, malvertising distribution and hidden ad-fraud monetization, where unsuspecting users end up downloading bogus apps masquerading as seemingly harmless utilities that act as a conduit for serving malicious ads for other Trapdoor apps, which are designed to perform automated touch fraud, as well as launch hidden WebViews, load threat actor-controlled washout domains, and request ads.

It's worth noting that only the second-stage app is used to trigger fraud. Once the organically downloaded app is launched, it serves fake pop-up alerts that mimic app update messages to trick users into installing the next-stage app.

This behavior also indicates that the payload is activated only for those who fall victim to the advertising campaign. In other words, anybody who downloads the app directly from the Play Store or sideloads it will not be targeted. Besides this selective activation technique, Trapdoor employs various anti-analysis and obfuscation techniques to sidestep detection.

"This operation uses real, everyday software and multiple obfuscation and anti-analysis techniques - such as impersonating legitimate SDKs to blend in - to help fuse malvertising distribution, hidden ad fraud monetization, and multi-stage malware distribution," Lindsay Kaye, vice president of threat intelligence at HUMAN, said.

Following responsible disclosure, Google has taken steps to remove all identified malicious apps from the Google Play Store, effectively neutralizing the operation. The complete list of Android apps is available here.

"Trapdoor shows how determined fraudsters turn everyday app installs into a self-funding pipeline for malvertising and ad fraud," Gavin Reid, chief information security officer at HUMAN, said. "This is another instance of threat actors co-opting legitimate tools - such as attribution software - to aid in their fraud campaigns and help them evade detection."

"By chaining together utility apps, HTML5 cashout domains, and selective activation techniques that hide from researchers, these actors are constantly evolving, and our Satori team is committed to tracking and disrupting them at scale."

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

SHARE    

Tweet Share Share Share

SHARE  ad fraud, Android, cybersecurity, Google, Google Play, malvertising, Malware, mobile security, Threat Intelligence

⚡ Top Stories This Week

Claude Mythos AI Finds 10,000 High-Severity Flaws in Widely Used Software

Megalodon GitHub Attack Targets 5,561 Repos with Malicious CI/CD Workflows

ThreatsDay Bulletin: Linux Rootkits, Router 0-Day, AI Intrusions, Scam Kits and 25 New Stories

Microsoft Warns of Two Actively Exploited Defender Vulnerabilities

9-Year-Old Linux Kernel Flaw Enables Root Command Execution on Major Distros

GitHub Internal Repositories Breached via Malicious Nx Console VS Code Extension

GitHub Breached — Employee Device Hack Led to Exfiltration of 3,800+ Internal Repos

Microsoft Releases Mitigation for YellowKey BitLocker Bypass CVE-2026-45585 Exploit

DirtyDecrypt PoC Released for Linux Kernel CVE-2026-31635 LPE Vulnerability

⚡ Weekly Recap: Exchange 0-Day, npm Worm, Fake AI Repo, Cisco Exploit and More

Ivanti, Fortinet, SAP, VMware, n8n Patch RCE, SQL Injection, Privilege Escalation Flaws

MiniPlasma Windows 0-Day Enables SYSTEM Privilege Escalation on Fully Patched Systems

NGINX CVE-2026-42945 Exploited in the Wild, Causing Worker Crashes and Possible RCE

Making Vulnerable Drivers Exploitable Without Hardware - The BYOVD Perspective

The New Phishing Click: How OAuth Consent Bypasses MFA

Developer Workstations Are Now Part of the Software Supply Chain

⭐ Featured Resources

Claim ANY.RUN Anniversary Offer for Faster Malware Analysis

[Guide] Learn to Detect AI Typosquatting Risks in Your Domain

[Guide] Get Key Identity Security Insights From 2026 Snapshot

Discover How to Navigate the Era of Constant Cyber Exposure

Cybersecurity Webinars

With HD Moore (Creator of Metasploit) Learn How to Detect Threats Beyond Zero Day Attacks Learn practical strategies to detect and defend against cyber threats beyond zero-day vulnerabilities. Register

Tired of False Positives? Validate Automated Pentesting Results Before Acting Learn how to validate automated pentesting results for accurate security decisions. Register

⚡ Latest News

Cybersecurity Resources

AI Is Reshaping Every Attack Surface. Train for What's NextSANSFIRE 2026 in D.C. brings 50+ courses, AI-focused sessions, and NetWars. July 13–18. Save $500. Your VPN is Helping Attackers Move as Fast as AIAI collapsed human response window and turned remote access into fastest path to breach. Earn a Master's in Cybersecurity Risk ManagementLead the future of cybersecurity risk management with an online Master’s from Georgetown. ​

Expert Insights Articles Videos

You Can't Patch Your Way Out of This One

May 25, 2026 Read ➝

How to Test Ransomware Recovery Without Reinfecting Your Environment

May 25, 2026 Read ➝

The Scam Before the Game: CTM360 Reveals Threats Targeting FIFA World Cup 2026 Fans

May 25, 2026 Read ➝

7 Signs Your Organization Is Vulnerable to Business Email Compromise

May 18, 2026 Read ➝

Get the Latest News in Your Inbox Get the latest news, expert insights, exclusive resources, and strategies from industry leaders, all for free.

Email