Close Menu
  • Home
  • News
  • Cyber Security
  • Internet of Things
  • Tips and Advice

Subscribe to Updates

Get the latest creative news from FooBar about art, design and business.

What's Hot

Iran-Linked MuddyWater Poses as Ransomware Gang to Mask Espionage

June 25, 2026

CISA Warns of Actively Exploited Joomla JCE Flaw Allowing PHP Code Execution

June 24, 2026

Researchers Trick AI Browsers Into Leaking Credentials

June 24, 2026
Facebook X (Twitter) Instagram
Thursday, June 25
Facebook X (Twitter) Instagram Pinterest Vimeo
Cyberwire Daily
  • Home
  • News
  • Cyber Security
  • Internet of Things
  • Tips and Advice
Cyberwire Daily
Home»News»Trapdoor Android Ad Fraud Scheme Hit 659 Million Daily Bid Requests Using 455 Apps
News

Trapdoor Android Ad Fraud Scheme Hit 659 Million Daily Bid Requests Using 455 Apps

Team-CWDBy Team-CWDMay 27, 2026No Comments3 Mins Read
Share Facebook Twitter Pinterest LinkedIn Tumblr Reddit Telegram Email
Share
Facebook Twitter LinkedIn Pinterest Email


Cybersecurity researchers have disclosed details of a new ad fraud and malvertising operation dubbed Trapdoor targeting Android device users.

The activity, per HUMAN’s Satori Threat Intelligence and Research Team, encompassed 455 malicious Android apps and 183 threat actor-owned command-and-control (C2) domains, turning the infrastructure into a pipeline for multi-stage fraud.

“Users unwittingly download a threat actor-owned app, often a utility-style app like a PDF viewer or device cleanup tool,” researchers Louisa Abel, Ryan Joye, João Marques, João Santos, and Adam Sell detailed in a report shared with The Hacker News.

“These apps trigger malvertising campaigns that coerce users into downloading additional threat actor-owned apps. The secondary apps launch hidden WebViews, load threat actor-owned HTML5 domains, and request ads.”

The campaign, the cybersecurity company added, is self-sustaining in that an organic app install turns into an illicit revenue generation cycle that can be used to fund follow-on malvertising campaigns. One notable aspect of the activity is the use of HTML5-based cashout sites, a pattern observed in prior threat clusters tracked as SlopAds, Low5, and BADBOX 2.0.

At the peak of the operation, Trapdoor accounted for 659 million bid requests a day, with Android apps linked to the scheme downloaded more than 24 million times. Traffic associated with the campaign primarily originated from the U.S., which took up more than three-fourths of the traffic volume.

“The threat actors behind Trapdoor also abuse install attribution tools  (technology designed to help legitimate marketers track how users discover apps) to enable malicious behavior only in users acquired through threat actor-run ad campaigns, while suppressing it for organic downloads of the associated apps,” HUMAN said.

Trapdoor combines two disparate approaches, malvertising distribution and hidden ad-fraud monetization, where unsuspecting users end up downloading bogus apps masquerading as seemingly harmless utilities that act as a conduit for serving malicious ads for other Trapdoor apps, which are designed to perform automated touch fraud, as well as launch hidden WebViews, load threat actor-controlled washout domains, and request ads.

It’s worth noting that only the second-stage app is used to trigger fraud. Once the organically downloaded app is launched, it serves fake pop-up alerts that mimic app update messages to trick users into installing the next-stage app.

This behavior also indicates that the payload is activated only for those who fall victim to the advertising campaign. In other words, anybody who downloads the app directly from the Play Store or sideloads it will not be targeted. Besides this selective activation technique, Trapdoor employs various anti-analysis and obfuscation techniques to sidestep detection.

“This operation uses real, everyday software and multiple obfuscation and anti-analysis techniques – such as impersonating legitimate SDKs to blend in – to help fuse malvertising distribution, hidden ad fraud monetization, and multi-stage malware distribution,” Lindsay Kaye, vice president of threat intelligence at HUMAN, said.

Following responsible disclosure, Google has taken steps to remove all identified malicious apps from the Google Play Store, effectively neutralizing the operation. The complete list of Android apps is available here.

“Trapdoor shows how determined fraudsters turn everyday app installs into a self-funding pipeline for malvertising and ad fraud,” Gavin Reid, chief information security officer at HUMAN, said. “This is another instance of threat actors co-opting legitimate tools – such as attribution software – to aid in their fraud campaigns and help them evade detection.”

“By chaining together utility apps, HTML5 cashout domains, and selective activation techniques that hide from researchers, these actors are constantly evolving, and our Satori team is committed to tracking and disrupting them at scale.”



Source

Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
Previous ArticleWhy Burnout in Cybersecurity Demands Risk-Based Response
Next Article All Major LLMs Exposed to Multi-Turn Manipulation, Warn Researchers
Team-CWD
  • Website

Related Posts

News

CISA Warns of Actively Exploited Joomla JCE Flaw Allowing PHP Code Execution

June 24, 2026
News

Researchers Trick AI Browsers Into Leaking Credentials

June 24, 2026
News

Google Vertex AI SDK Flaw Let Attackers Hijack Model Uploads via Bucket Squatting

June 24, 2026
Add A Comment
Leave A Reply Cancel Reply

Latest News

North Korean Hackers Turn JSON Services into Covert Malware Delivery Channels

November 24, 202522 Views

macOS Stealer Campaign Uses “Cracked” App Lures to Bypass Apple Securi

September 7, 202517 Views

North Korean Hackers Target Crypto Firms with ClickFix and Zoom Lures

April 29, 202610 Views

Why SOC Burnout Can Be Avoided: Practical Steps

November 14, 20259 Views

Cyber M&A Roundup: Cyber Giants Strengthen AI Security Offerings

December 1, 20258 Views
Stay In Touch
  • Facebook
  • YouTube
  • TikTok
  • WhatsApp
  • Twitter
  • Instagram
Most Popular

North Korean Hackers Turn JSON Services into Covert Malware Delivery Channels

November 24, 202522 Views

macOS Stealer Campaign Uses “Cracked” App Lures to Bypass Apple Securi

September 7, 202517 Views

North Korean Hackers Target Crypto Firms with ClickFix and Zoom Lures

April 29, 202610 Views
Our Picks

The quest for greater tech independence

May 19, 2026

The hidden risks of browser extensions – and how to avoid them

September 13, 2025

A phishing attack that doesn’t steal your password

June 15, 2026

Subscribe to Updates

Get the latest news from cyberwiredaily.com

Facebook X (Twitter) Instagram Pinterest
  • Home
  • Contact
  • Privacy Policy
  • Terms of Use
  • California Consumer Privacy Act (CCPA)
© 2026 All rights reserved.

Type above and press Enter to search. Press Esc to cancel.