Cybersecurity researchers have uncovered a sophisticated ad fraud and malvertising operation named Trapdoor, which targeted Android users through 455 malicious apps and 183 command-and-control (C2) domains. This infrastructure facilitated a multi-stage fraud process, as reported by The Hacker News.
Users were lured into downloading seemingly harmless utility apps, such as PDF viewers or device cleanup tools. These apps initiated malvertising campaigns, coercing users into installing additional malicious applications. The secondary apps then launched hidden WebViews, loaded threat actor-controlled HTML5 domains, and requested ads, creating a self-sustaining cycle of illicit revenue generation.
At its peak, Trapdoor generated 659 million bid requests daily, with over 24 million downloads of the associated Android apps. The majority of the traffic originated from the United States, accounting for more than 75% of the volume.
Notably, the threat actors exploited install attribution tools to selectively activate malicious behavior only in users acquired through their ad campaigns, while suppressing it for organic downloads. This tactic, combined with various anti-analysis and obfuscation techniques, allowed the operation to evade detection effectively.
Following responsible disclosure, Google has removed all identified malicious apps from the Play Store, effectively dismantling the Trapdoor operation.
The Trapdoor scheme underscores the evolving sophistication of ad fraud operations targeting Android users. By blending malvertising distribution with hidden ad fraud monetization, threat actors have created a self-funding pipeline that not only generates illicit revenue but also perpetuates the spread of malicious apps. This highlights the critical need for users to exercise caution when downloading apps, even from official sources, and for continuous vigilance from app store operators to detect and remove such threats promptly.
Source: The Hacker News
