- Trapdoor is an ad fraud campaign using 455 Android apps and 183 C2 domains
- The apps tricked users with fake updates and then secretly launched invisible WebViews to generate 659 million fraudulent ad offer requests daily.
- Google removed more than 24 million downloaded apps after the disclosure, and researchers warned of malvertising channels created from everyday installs.
Security researchers uncovered and dismantled a major advertising and ad fraud operation that comprised hundreds of Android apps and likely generated millions of dollars in profits.
Human Security researchers on Satori’s team say the Trapdoor campaign used 455 apps and 183 command and control (C2) domains.
It started on the Google Play Store, where victims were offered seemingly benign utility applications such as PDF readers and the like. These apps worked as intended and did nothing that would suggest malicious behavior (for example, they requested extensive permissions or attempted to leak data to a third-party server). However, shortly after installation, the apps will display a pop-up window stating that they need to be updated.
Hundreds of millions of bid requests
This update is essentially fake, and activating it actually downloads a completely different app. That app, which does its best to stay hidden on the device, also launches invisible WebViews, loads HTML5 domains under the attackers’ control, and then requests ads.
Through these ads, which no one actually sees, threat actors stole money from advertisers, as well as companies that use ad networks to promote their products and services.
According to the Human Security report, at its peak, Trapdoor represented 659 million bid requests per day, meaning advertisers were bidding on 659 million false advertising opportunities every day. Additionally, the applications associated with the threat have been downloaded more than 24 million times.
After notifying Google of its findings, the Play Store creator removed all identified malicious apps from its app repository. You can find the full list of apps at this link and if you see something you are using, be sure to uninstall it from all your devices.
“Trapdoor is a reminder that threats to the digital advertising ecosystem do not fall neatly into single categories,” Human Security noted. “By merging malvertising delivery with hidden ad fraud monetization, Trapdoor creates a pipeline where each stage drives the next: malvertising drives secondary app installs, those apps generate fraudulent ad revenue, and that revenue can fund further malvertising campaigns.”
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds.
