Cybersecurity researchers have uncovered a large-scale Android ad fraud and malvertising campaign named Trapdoor, which has been used to trick users into installing malicious applications disguised as legitimate utility tools.
According to researchers from HUMAN Security, the operation involved 455 malicious Android apps and 183 attacker-controlled command-and-control (C2) domains, creating a sophisticated ecosystem for multi-stage ad fraud and malware distribution.
How the Trapdoor Campaign Works
The attack begins when users unknowingly install seemingly harmless utility apps such as PDF readers, device cleaners, or optimization tools. These apps appear legitimate but are secretly designed to launch malicious advertising campaigns.
Researchers explained that once installed, the fake utility apps display deceptive pop-up messages that imitate software updates or security alerts. These prompts encourage victims to download additional applications controlled by the attackers.
The second-stage apps are far more dangerous. They silently open hidden WebViews, connect to attacker-controlled HTML5 domains, and generate fraudulent ad requests in the background. This process enables cybercriminals to monetize infected devices through automated advertising fraud.
A Self-Sustaining Fraud Ecosystem
What makes Trapdoor especially concerning is its self-sustaining business model. A single organic app installation can trigger a chain reaction that continuously fuels malicious advertising campaigns and fraudulent revenue generation.
At its peak, the operation generated an astonishing 659 million ad bid requests per day. Researchers also found that the malicious Android apps connected to the campaign had been downloaded more than 24 million times.
Most of the traffic linked to the campaign originated from the United States, accounting for more than 75% of the total activity volume.
Use of HTML5 Cashout Domains
Security analysts noted that Trapdoor heavily relies on HTML5-based “cashout” websites — a tactic previously seen in malicious campaigns such as SlopAds, Low5, and BADBOX 2.0.
These cashout domains are used to load fraudulent advertising content while remaining hidden from users. The technique allows attackers to generate ad revenue silently while avoiding detection.
Selective Activation Helps Evade Detection
One of the most sophisticated elements of the Trapdoor campaign is its selective activation mechanism.
The malicious behavior is only triggered when users install apps through attacker-controlled advertising campaigns. Users who directly download the apps from the Google Play Store or sideload them manually are typically not targeted.
To achieve this, attackers abuse legitimate app install attribution tools — software commonly used by marketers to track how users discover mobile apps. By leveraging these tools, the threat actors can selectively activate malicious functionality only for intended victims.
This approach significantly reduces the likelihood of researchers or automated security systems detecting the fraud during routine analysis.
Advanced Obfuscation and Anti-Analysis Techniques
Researchers also discovered that Trapdoor uses multiple anti-analysis and obfuscation methods to remain hidden. Some malicious apps impersonate legitimate software development kits (SDKs) to blend into normal app behavior.
The campaign combines several cybercriminal techniques into one operation, including:
- Malvertising distribution
- Hidden ad fraud monetization
- Multi-stage malware delivery
- Automated touch fraud
- Hidden WebView abuse
- Selective payload activation
This layered strategy allows attackers to continuously evolve while avoiding traditional detection mechanisms.
Google Removes Malicious Apps
Following responsible disclosure by researchers, Google Play Protect has removed the identified malicious applications from the Google Play Store, helping disrupt the operation.
Security experts warn that campaigns like Trapdoor demonstrate how cybercriminals increasingly exploit legitimate advertising and attribution technologies to power large-scale fraud schemes.
Final Thoughts
The Trapdoor operation highlights the growing sophistication of Android-based ad fraud campaigns. By disguising malicious software as everyday utility applications and selectively activating harmful features, attackers can maintain long-running fraud ecosystems while remaining difficult to detect.
Users are advised to:
- Download apps only from trusted developers
- Review app permissions carefully
- Avoid clicking suspicious update prompts
- Keep Android devices and security software updated
- Enable Google Play Protect for additional security monitoring
As mobile threats continue evolving, researchers expect cybercriminals to further refine these stealth techniques to maximize profits and evade detection.
