Cybersecurity researchers have uncovered a large Android ad fraud and malvertising operation known as Trapdoor. The campaign involved hundreds of malicious apps and a wide network of attacker-controlled domains designed to generate fraudulent advertising revenue.
According to researchers, Trapdoor used 455 malicious Android apps and 183 command-and-control domains. Many of the apps appeared to be normal utility tools, such as PDF viewers, device cleaners, or similar everyday applications. Users downloaded these apps without realizing they were part of a larger fraud ecosystem.
Once installed, the apps could trigger malvertising campaigns that pushed users toward downloading additional attacker-controlled apps. These secondary apps then launched hidden WebViews, loaded threat actor-owned HTML5 domains, and requested ads in the background. This created a continuous cycle of fake ad impressions and bid requests.
At its peak, the operation generated around 659 million bid requests per day. Apps connected to the scheme were downloaded more than 24 million times, with most of the traffic coming from the United States.
One of the most concerning parts of Trapdoor was its use of install attribution tools. These tools are normally used by legitimate marketers to understand how users discover apps. In this case, attackers abused them to activate malicious behavior only for users acquired through their own ad campaigns, while hiding suspicious activity from organic users and researchers.
Google has since removed the identified malicious apps from the Play Store after responsible disclosure, helping disrupt the operation.
Trapdoor shows how ad fraud has evolved beyond simple fake clicks. Attackers are now combining mobile apps, hidden browser views, attribution abuse, and malvertising to create self-funding fraud networks.
Cybersecurity companies like IntelligenceX help organizations understand and reduce such risks through mobile threat analysis, fraud detection, malware research, and digital security monitoring.
For users, the safest approach is to download apps only from trusted developers, review app permissions, avoid suspicious utility apps, and remove apps that show unusual ads or background activity.
Top comments (0)