Cybersecurity researchers have revealed details about a new ad fraud and malvertising campaign named Trapdoor that specifically targets Android device users.
The operation, as reported by HUMAN’s Satori Threat Intelligence and Research Team, involved 455 malicious Android apps and 183 command-and-control (C2) domains owned by threat actors, creating a system for multi-stage fraud.
“Users unknowingly download an app owned by threat actors, often disguised as a utility app like a PDF viewer or device cleanup tool,” detailed researchers Louisa Abel, Ryan Joye, João Marques, João Santos, and Adam Sell in a report shared with The Hacker News.
“These apps trigger malvertising campaigns that coerce users into downloading additional apps owned by threat actors. The secondary apps launch hidden WebViews, load HTML5 domains owned by threat actors, and request ads,” they added.
The campaign, according to the cybersecurity company, is self-sustaining, with organic app installs leading to an illicit revenue cycle used to fund subsequent malvertising campaigns. The use of HTML5-based cashout sites is a notable feature of the operation, a pattern previously observed in threat clusters known as SlopAds, Low5, and BADBOX 2.0.
During its peak, Trapdoor was responsible for 659 million bid requests per day, with Android apps associated with the scheme being downloaded over 24 million times. The majority of the campaign’s traffic originated from the U.S., accounting for more than three-fourths of the total traffic volume.
“The threat actors behind Trapdoor also exploit install attribution tools (technology designed to help legitimate marketers track how users discover apps) to enable malicious behavior only in users acquired through threat actor-run ad campaigns, while suppressing it for organic downloads of the associated apps,” HUMAN stated.
Trapdoor combines malvertising distribution and hidden ad-fraud monetization, where users unwittingly download fake apps posing as harmless utilities that serve malicious ads for other Trapdoor apps, which conduct automated touch fraud and load threat actor-controlled cashout domains.
It’s important to note that only the second-stage app is used for fraudulent activities. Once the organically downloaded app is opened, it displays fake pop-up alerts resembling app update messages to deceive users into installing the next-stage app.
This behavior indicates that the payload is activated only for those who are targeted by the advertising campaign. In other words, individuals who download the app directly from the Play Store or via sideloading will not be affected. In addition to this selective activation method, Trapdoor employs various anti-analysis and obfuscation techniques to evade detection.
“This operation utilizes everyday software and multiple obfuscation and anti-analysis techniques – such as mimicking legitimate SDKs to blend in – to merge malvertising distribution, hidden ad fraud monetization, and multi-stage malware distribution,” stated Lindsay Kaye, vice president of threat intelligence at HUMAN.
Following responsible disclosure, Google has taken action to remove all identified malicious apps from the Google Play Store, effectively dismantling the operation. The complete list of Android apps involved is accessible here.
“Trapdoor demonstrates how determined fraudsters transform everyday app installs into a self-sustaining pipeline for malvertising and ad fraud,” commented Gavin Reid, chief information security officer at HUMAN. “This is another example of threat actors misusing legitimate tools – such as attribution software – to facilitate their fraud schemes and evade detection.”
“By connecting utility apps, HTML5 cashout domains, and selective activation techniques that evade researchers, these actors are continuously evolving, and our Satori team is dedicated to monitoring and disrupting them on a large scale,” Reid added.
