A sophisticated ad fraud operation, dubbed "Trapdoor," has been uncovered, targeting Android users and generating an astonishing 659 million daily bid requests at its peak. The scheme involved 455 malicious Android applications and 183 command-and-control domains, creating a multi-stage fraud pipeline that tricked users into downloading further malicious apps.

Key Takeaways

• The "Trapdoor" scheme impacted 659 million daily ad bid requests.

• It utilized 455 malicious Android apps and 183 threat actor-owned domains.

• Users were coerced into downloading secondary apps via deceptive pop-ups.

• The operation employed HTML5-based cashout sites and install attribution abuse.

• Google has removed the identified malicious apps from the Play Store.

How Trapdoor Operated

Users were initially lured into downloading seemingly harmless utility apps, such as PDF viewers or device cleanup tools, which were controlled by threat actors. Upon launching these apps, users were presented with malvertising campaigns that prompted them to download additional apps owned by the same threat actors. These secondary applications would then launch hidden WebViews, load malicious HTML5 domains, and initiate ad requests, creating a self-sustaining cycle of illicit revenue generation.

Deceptive Tactics and Evasion

A notable aspect of Trapdoor was its use of HTML5-based cashout sites, a pattern previously seen in other ad fraud operations. The scheme also abused install attribution tools, a technology designed to help legitimate marketers track app discovery. This allowed the threat actors to selectively enable malicious behavior only for users acquired through their own ad campaigns, while suppressing it for organic downloads, making detection more challenging.

Once a user downloaded an initial app, fake pop-up alerts mimicking app update messages would trick them into installing the next stage. This selective activation ensured that the fraudulent payload was only triggered for victims of the advertising campaign, not for users who downloaded the app directly from legitimate sources.

Furthermore, Trapdoor employed various anti-analysis and obfuscation techniques, including impersonating legitimate SDKs, to evade detection by security researchers and platforms. This allowed the operation to blend in with normal app activity.

Google's Response and Impact

Following a responsible disclosure by cybersecurity researchers, Google has taken action to remove all identified malicious apps from the Google Play Store, effectively neutralizing the Trapdoor operation. The scheme highlights the evolving tactics of threat actors who leverage everyday app installs and legitimate tools to fund malvertising and ad fraud campaigns.

Sources

• Trapdoor Android Ad Fraud Scheme Hit 659 Million Daily Bid Requests Using 455 Apps, The Hacker News.