Trapdoor Android Ad Fraud: 455 Malicious Operation Uses

Cybersecurity researchers have uncovered a significant ad fraud operation, dubbed Trapdoor, that has been targeting Android users through 455 malicious applications. This large

At its peak, the operation produced 659 million fraudulent bid requests in a single day and accumulated well over 24 million downloads on affected devices around the world.

What makes Trapdoor particularly dangerous is how ordinary it looks at first glance. The apps in this scheme pose as simple utility tools: PDF viewers, file managers, and device cleanup apps that any everyday user might download without much concern.

Once installed, these apps do not immediately launch malicious activity. Instead, they push fake ads warning the user that the app is outdated and needs an urgent update.

When the user taps through on that prompt, they unknowingly end up installing a second, more harmful app controlled by the same threat actors.

Researchers at HUMAN’s Satori Threat Intelligence and Research Team, including Louisa Abel, Ryan Joye, João Marques, João Santos, and Adam Sell, identified and disrupted the operation.

HUMAN Security said in a report shared with Cyber Security News (CSN) that the campaign fuses malvertising and ad fraud within a single connected pipeline, making it one of the more technically layered threats uncovered in the Android ecosystem in recent memory.

The secondary apps are where the real fraud takes place. Once installed, they launch hidden browser windows loading threat actor-owned HTML5 domains and automatically interact with ads without the user seeing anything at all.

Trapdoor Android Ad Fraud Operation

This generates revenue for the attackers while burning legitimate advertiser budgets on clicks that no real person ever made.

Those earnings can then fund additional malvertising campaigns, creating a self-sustaining loop that keeps the operation alive.

Google has removed all identified apps from the Play Store following responsible disclosure. Researchers noted that threat actors were still publishing new apps and cycling through fresh domains even while the report was being finalized, showing no sign of stopping.

Trapdoor moves through four connected stages: distribution, activation, payload delivery, and monetization. The first stage relies on app stores, where users willingly download apps that appear helpful and harmless.

Initial apps are kept clean enough to pass basic security review checks and avoid raising early suspicion. After installation, the first app begins serving fake ads shaped like urgent update alerts.

These prompts feel credible and familiar, exploiting the common habit of tapping through app notifications without careful inspection. Users who fall for it end up installing a second app, which is the true payload carrier in this operation.

The second app hides its activity inside fullscreen browser windows the user never sees. These hidden windows load HTML5 pages on threat actor-owned domains and execute scripted touch gestures targeting specific ad placements.

The gesture data comes from two bundled files, move.txt and click.txt, which map exact screen coordinates and timing so fake clicks appear genuinely human.

Evasion Tactics That Complicate Detection

One of Trapdoor’s most notable traits is how effectively it avoids being spotted. The malicious workflow never activates for organic downloads, meaning an analyst who pulls the app from the Play Store directly sees nothing harmful.

Fraud only triggers for users who arrived through the threat actors’ paid campaigns, confirmed by a marketing attribution tracker value within the install record.

Beyond this selective trigger, the apps use code packing, string encryption, and code virtualization to slow down reverse engineering attempts significantly.

Some variants also impersonate legitimate advertising tools at the code level, helping malicious logic pass initial inspection.

The apps additionally check for VPN activity and debugging indicators, suppressing all malicious behavior the moment either is found.

Users are advised to avoid utility-style apps from unfamiliar developers and to read permission requests carefully before installing anything new.

Removing apps no longer in use and keeping devices updated with current security patches are straightforward habits that meaningfully reduce exposure to operations like Trapdoor.

Indicators of Compromise (IoCs):-

The following table reflects the IoC types and key technical artifacts confirmed within the operation:-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.