Trapdoor Ad Fraud Operation Abused 455 Android Apps to Generate 659 Million Daily Bid Requests

Cybersecurity researchers at HUMAN's Satori Threat Intelligence and Research Team have disclosed a large-scale ad fraud and malvertising operation dubbed Trapdoor that targeted Android users worldwide. The campaign involved 455 malicious Android apps and 183 command-and-control domains, creating a self-sustaining pipeline for multi-stage fraud and potential malware delivery.

According to a detailed report shared with The Hacker News, the operation works in two stages. Users unknowingly download a seemingly harmless utility app — such as a PDF viewer or device cleanup tool — from the Google Play Store. Once launched, the first-stage app triggers fake pop-up alerts mimicking app update messages that trick users into installing a second-stage app. The secondary apps then launch hidden WebViews, load threat actor-controlled HTML5 domains, and request advertisements, simulating user engagement to commit automated touch fraud.

A notable feature of Trapdoor is its abuse of install attribution tools — technology designed to help legitimate marketers track how users discover apps. The threat actors configured the malicious behavior to activate only for users acquired through their own ad campaigns, suppressing it for organic downloads. This selective activation technique, combined with anti-analysis and obfuscation methods such as impersonating legitimate SDKs, allowed the operation to evade detection by researchers and app stores alike.

At the peak of the operation, Trapdoor accounted for 659 million bid requests per day. The associated Android apps were downloaded more than 24 million times. Traffic primarily originated from the United States, which accounted for over 75% of the volume. The HTML5-based cashout domains used in the scheme have been observed in prior threat clusters tracked as SlopAds, Low5, and BADBOX 2.0, indicating that the threat actors are leveraging established infrastructure and techniques.

Following responsible disclosure, Google has removed all identified malicious apps from the Google Play Store, effectively neutralizing the operation. The full list of 455 apps has been published by HUMAN to aid detection and remediation efforts. The campaign demonstrates how fraudsters can weaponize everyday app installs into self-funding pipelines for malvertising and ad fraud, co-opting legitimate tools such as attribution software to evade detection.

"Trapdoor shows how determined fraudsters turn everyday app installs into a self-funding pipeline for malvertising and ad fraud," said Gavin Reid, chief information security officer at HUMAN. "By chaining together utility apps, HTML5 cashout domains, and selective activation techniques that hide from researchers, these actors are constantly evolving, and our Satori team is committed to tracking and disrupting them at scale."

Lindsay Kaye, vice president of threat intelligence at HUMAN, added: "This operation uses real, everyday software and multiple obfuscation and anti-analysis techniques — such as impersonating legitimate SDKs to blend in — to help fuse malvertising distribution, hidden ad fraud monetization, and multi-stage malware distribution." The discovery underscores the growing sophistication of mobile ad fraud operations and the need for continued vigilance by both platform operators and users.

Human Security's report, covered by GovInfoSecurity, adds that the Trapdoor campaign has generated over 24 million fraudulent app installs, creating a self-sustaining cycle where ad revenue is reinvested into new malvertising. The malicious apps simulate realistic user interactions like taps and swipes to evade detection, and portions of the monetization link to other ad fraud operations such as Badbox 2.0. While most activity is in the United States, traffic has also been observed in Japan, Australia, Russia, New Zealand, and India.