- Trapdoor campaign funneled malvertising into ad fraud using 455 malicious Android apps and 183 C2 domains.
- The operation generated 659 million daily bid requests at its peak, with apps downloaded over 24 million times.
- Google removed identified apps from the Play Store after disclosure, effectively neutralizing the operation.
Cybersecurity researchers uncovered a sophisticated ad fraud and malvertising operation, dubbed Trapdoor, that targeted Android device users in May 2026. According to a report from HUMAN‘s Satori Threat Intelligence team shared with The Hacker News, the campaign encompassed 455 malicious Android apps and 183 threat actor-owned command-and-control domains, creating a self-sustaining pipeline for multi-stage fraud. Consequently, unsuspecting users downloaded utility-style apps, which then triggered malvertising campaigns that coerced them into installing secondary apps designed for hidden ad fraud.
These secondary apps launched hidden WebViews and loaded threat actor-owned HTML5 domains to request ads, a tactic also seen in prior clusters like SlopAds and BADBOX 2.0. At its peak, Trapdoor accounted for 659 million bid requests a day, with traffic primarily originating from the U.S., according to researchers Louisa Abel, Ryan Joye, João Marques, João Santos, and Adam Sell. The operation also abused install attribution tools to enable malicious behavior only for users acquired through threat actor-run ad campaigns, suppressing it for organic downloads.
Meanwhile, the apps employed fake pop-up alerts mimicking update messages to trick users into installing the next-stage payload. The actors used multiple obfuscation and anti-analysis techniques, such as impersonating legitimate SDKs, to evade detection. Following responsible disclosure, Google removed all identified malicious apps from the Play Store, as detailed in HUMAN’s report. Gavin Reid, HUMAN’s CISO, stated, “Trapdoor shows how determined fraudsters turn everyday app installs into a self-funding pipeline for malvertising and ad fraud.”
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
