Trapdoor Campaign Used 455 Android Apps to Generate 659M Bids
Researchers report the Trapdoor ad-fraud campaign used 455 Android apps and 183 C2 domains to generate 659 million ad bid requests per day via HTML5 cashout sites and selective activation.
Researchers with HUMAN’s Satori Threat Intelligence and Research Team reported that an ad-fraud operation called Trapdoor used 455 Android apps and 183 command-and-control domains to generate about 659 million ad bid requests per day. Apps linked to the campaign were downloaded more than 24 million times.
The operation used a two-stage install process. First-stage apps were presented as legitimate utilities, such as PDF viewers and device cleaners. Those apps displayed fake pop-up alerts that mimicked update messages and urged users to install a second app controlled by the operators.
Once installed, the second-stage apps launched hidden WebViews that loaded HTML5 cashout domains owned by the threat actors. The cashout sites requested ads and performed automated touch fraud. Researchers connected those domains to earlier ad-fraud clusters tracked as SlopAds, Low5 and BADBOX 2.0.
HUMAN found the campaign activated malicious behavior only for users who arrived via the operators’ ad campaigns. The attackers abused install attribution tools — legitimate marketing technology that identifies how users discover apps — so the fraud remained dormant for organic or sideloaded installs.
The operation used obfuscation and anti-analysis techniques to evade detection, including impersonating legitimate software development kits to blend malicious code with normal app behavior. Traffic analysis showed more than three-quarters of the bid requests originated in the United States.
After researchers disclosed their findings to Google, the identified apps were removed from the Play Store. The disclosure from HUMAN includes a full list of affected apps and domains.
Gavin Reid, chief information security officer at HUMAN, described the operation as ‘self-sustaining,’ noting organic installs can fund follow-on ad campaigns. Lindsay Kaye, vice president of threat intelligence at HUMAN, wrote that the actors fused malvertising distribution with hidden ad-fraud monetization and multiple evasion techniques.
Articles by this author
