Back

Trapdoor Ad Fraud Operation Disrupted, Involving 455 Malicious Android Apps

Severity: High (Score: 67.5)

Sources: Markets.Businessinsider, Cybersecuritynews, www.globenewswire.com, Gbhackers

Published: 2026-05-20 · Updated: 2026-05-21

Keywords: trapdoor, android, fraud, apps, human, satori, ring

Summary

HUMAN Security's Satori Threat Intelligence Team has identified and disrupted a significant ad fraud operation named Trapdoor, which utilized 455 malicious Android apps and 183 command-and-control domains. This operation generated a self-sustaining revenue loop through malvertising and automated click fraud, peaking at 480 million bid requests daily and over 24 million app downloads. The fraudulent apps masqueraded as legitimate utility applications, triggering malvertising campaigns that coerced users into downloading additional malicious apps. Google has removed the identified malicious apps from its Play Store and implemented protective measures. The Trapdoor operation exemplifies how fraudsters exploit legitimate tools and techniques to evade detection and sustain their fraudulent activities. Key Points: • Trapdoor involved 455 malicious Android apps and 183 C2 domains. • The operation peaked at 480 million daily bid requests and over 24 million downloads. • Google has removed all identified malicious apps and enhanced user protections.

Detailed Analysis

**Impact** The operation affected Android users globally through 455 malicious apps downloaded over 24 million times, primarily targeting the digital advertising ecosystem. At its peak, Trapdoor generated between 480 million and 659 million fraudulent bid requests daily, resulting in significant financial losses for advertisers due to fake ad clicks and drained advertising budgets. The campaign impacted sectors reliant on mobile advertising revenue and marketing attribution platforms. **Technical Details** Trapdoor employed a multi-stage attack chain starting with utility-style Android apps that triggered malvertising campaigns, coercing users to download additional malicious apps. These secondary apps executed automated touch fraud, launched hidden WebViews, and loaded 183 threat-actor-owned HTML5 domains to request ads and generate revenue. The operation used advanced obfuscation, anti-analysis techniques, and impersonation of legitimate SDKs, abusing marketing attribution software to evade detection. No CVEs or specific malware names were disclosed. **Recommended Response** Remove all identified malicious apps from devices and ensure Google Play Protect is enabled to block known Trapdoor-associated apps. Deploy detection rules targeting automated touch fraud, hidden WebViews, and suspicious HTML5 domain traffic. Block the 183 identified threat-actor-owned domains and monitor ad traffic for abnormal bid request volumes. Continue monitoring for new variants and maintain updated threat intelligence feeds from sources like HUMAN Security.

Source articles (4)

  • Trapdoor Android Ad Fraud Ring Abuses 455 Apps for Fake Clicks — Gbhackers · 2026-05-20
    A large-scale Android ad fraud campaign named “Trapdoor,” exposing a sophisticated ecosystem built on 455 malicious apps and 183 command-and-control (C2) domains. The operation combines malvertising,…
  • Ad Fraud Defense — www.globenewswire.com · 2026-05-20
  • Trapdoor Android Ad Fraud Operation Uses 455 Malicious Apps to Generate Fake Clicks — Cybersecuritynews · 2026-05-20
    A large-scale ad fraud operation called Trapdoor has been discovered targeting Android users through 455 malicious apps, quietly generating fake ad clicks and draining real advertising budgets across…
  • HUMAN's Satori Researchers Identify and Disrupt Multi — Markets.Businessinsider · 2026-05-20
    NEW YORK, May 19, 2026 (GLOBE NEWSWIRE) -- HUMAN Security, Inc., the trust layer for digital customer experiences in the agentic era, today announced that its Satori Threat Intelligence and Research T…

Timeline

  • 2026-05-19 — HUMAN announces disruption of Trapdoor operation: HUMAN Security disclosed the disruption of the Trapdoor ad fraud scheme, detailing its extensive use of malicious apps and evasion techniques.
  • 2026-05-19 — Google removes malicious apps: Google Play removed all identified malicious apps associated with the Trapdoor operation to protect users from malvertising and ad fraud.
  • Recent — Trapdoor operation peaks: At its peak, the Trapdoor operation generated 480 million bid requests daily, showcasing its extensive impact on the digital advertising ecosystem.

Related entities

  • Botnet (Attack Type)
  • Malware (Attack Type)
  • Badbox 2.0 (Malware)
  • Low5 (Campaign)
  • SlopAds (Campaign)
  • Trapdoor (Platform)
  • Android (Platform)
  • humansecurity.com (Domain)
  • the.in (Domain)
  • [email protected] (Email)
  • T1027 - Obfuscated Files Or Information (Mitre Attack)
  • T1036 - Masquerading (Mitre Attack)
  • T1071 - Application Layer Protocol (Mitre Attack)
  • T1105 - Ingress Tool Transfer (Mitre Attack)
  • T1189 - Drive-by Compromise (Mitre Attack)
  • Marketing Attribution Software (Tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed