- Trapdoor is an ad fraud campaign using 455 Android apps and 183 C2 domains
- The apps deceived users with fake updates and then secretly launched invisible WebViews to generate 659 million fraudulent ad bid requests daily.
- Google removed more than 24 million downloaded apps after their disclosure, with researchers warning of malvertising pipelines created from everyday installs.
Security researchers have uncovered and dismantled a major ad fraud and advertising operation that included hundreds of Android apps and likely generated millions of dollars in profits.
Human security researchers from the Satori team say the Trapdoor campaign used 455 applications and 183 command and control (C2) domains.
It started on the Google Play Store, where victims were offered seemingly harmless utility apps like PDF readers and so on. These apps worked as expected and did nothing that might suggest malicious behavior (e.g., requested extended permissions or attempted to exfiltrate data to a third-party server). However, soon after installation, the apps show a pop-up stating that they need to be updated.
Hundreds of millions of bidding requests
This update is essentially fake and triggering it actually downloads a completely different app. This app, which does its best to stay hidden on the device, also launches invisible WebViews, loads HTML5 domains under the attackers’ control, and then asks for ads.
Through these ads, which no one really sees, the threat actors stole money from advertisers, as well as companies using ad networks to promote their products and services.
According to the Human Security report, at its peak, Trapdoor accounted for 659 million bid requests per day, meaning advertisers were bidding on 659 million fake ad opportunities every day. Additionally, apps associated with the threat have been downloaded more than 24 million times.
After informing Google of its findings, the Play Store maker removed all identified malicious apps from its app repository. You can find the full list of apps at this link, and if you see something you’re using, make sure to uninstall it from all your devices.
“Trapdoor reminds us that the threats to the digital advertising ecosystem cannot be put into just one category,” Human Security noted. “By merging the distribution of malvertising with the monetization of hidden ad fraud, Trapdoor creates a pipeline in which each stage feeds the next: malvertising drives secondary app installs, those apps generate fraudulent ad revenue, and that revenue can fund further malvertising campaigns.”
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds.
