The HUMAN Satori Threat Intelligence team has uncovered a large-scale fraudulent operation named Trapdoor, targeting Android users. According to the researchers, the scheme encompassed 455 malicious applications and 183 command-and-control (C2) infrastructure domains, forming a multi-stage ad fraud pipeline. Apps associated with the campaign were downloaded more than 24 million times, and at the peak of activity the operation was generating up to 659 million ad requests (bid requests) per day. More than three-quarters of the traffic reportedly originated from the United States. Google removed the identified apps from the Play Store following responsible disclosure, but users who had installed these apps earlier should check their devices.

Multi-stage infection chain

According to the HUMAN report, the Trapdoor operation uses a two-stage model. In the first stage, the user downloads a seemingly harmless utility app — a PDF viewer, a device cleaning tool, or a similar utility. This app does not itself perform fraudulent actions, but it launches a malicious advertising campaign: the user is shown fake pop-up notifications that mimic app update messages in order to trick them into installing a second application.

It is this second application that serves as the primary fraud instrument. According to the researchers, it performs the following actions:

• Launches hidden WebView components that are invisible to the user
• Loads attacker-controlled HTML5 domains
• Automatically requests and displays ads in a hidden manner
• Carries out automated touch fraud (simulated user taps)

The key feature of Trapdoor is the self-sustaining nature of the operation. Revenue from covert ad impressions is funneled into funding new malicious advertising campaigns that lure in additional users. As a result, each organic app install turns into a source of funds for expanding the scheme.

Evasion techniques

Trapdoor’s operators employ several notable methods to thwart analysis. The most significant is the abuse of install attribution tools. These tools, intended for legitimate marketers, make it possible to track how a user discovered an app. The attackers use this technology for selective activation: malicious behavior is triggered only for users who were acquired through advertising campaigns controlled by the attackers. Users who downloaded the app directly from the Google Play Store or installed it from another source are presumably not targeted.

This approach makes it much harder for researchers and automated app store review systems to detect the threat: during standard testing, the app behaves legitimately. In addition, Trapdoor uses:

• Imitation of legitimate SDKs to disguise malicious code
• Multiple obfuscation techniques
• Anti–dynamic analysis techniques

Links to previous campaigns

HUMAN’s researchers note that the use of HTML5 sites for cashout is a pattern previously observed in the SlopAds, Low5, and BADBOX 2.0 threat clusters. However, this connection is based on the assessment of a single research group and has not been independently confirmed. No specific attribution of the Trapdoor operators has been disclosed — the attackers remain unidentified.

Scale of impact and affected users

The geographic concentration of traffic in the United States (over 75%) points to deliberate targeting of an English-speaking audience, likely driven by the higher value of ad impressions in the U.S. market. With 24 million downloads and 659 million daily ad requests at peak activity, the financial impact on advertisers and ad networks may be substantial, although the report does not provide specific figures.

For end users, the primary risks include increased consumption of data and device resources by hidden WebViews, as well as the potential expansion of malicious app functionality in the future — the multi-stage architecture allows the operators to deliver arbitrary payloads.

Recommendations

The full list of apps associated with Trapdoor has been published by HUMAN. Android users are advised to:

1. Review their installed apps against the published list and immediately remove any matches
2. Critically evaluate utility apps from little-known developers — this category (PDF viewers, cleaning tools) was used as the primary vector
3. Avoid installing apps via links in ads shown inside other apps, especially when they masquerade as system updates
4. Check device settings for apps with unusually high background data usage

Although Google has removed the identified apps from the Play Store, this does not affect instances that are already installed on users’ devices. Given the self-financing nature of the operation and the use of selective activation techniques that hinder detection by standard screening mechanisms, manually checking installed apps against the HUMAN list remains the most reliable way to identify a compromise.