CYBERSECURITY researchers have disclosed Trapdoor, a mobile ad fraud operation targeting Android devices, which at its peak generated 659 million bid requests per day and involved 455 apps, with 183 threat actor-owned C2 domains forming its infrastructure. The campaign saw Android apps downloaded more than 24 million times and traffic largely originating from the United States, accounting for more than three-fourths of the volume.
Researchers explained that users download threat actor-owned apps that trigger malvertising campaigns, leading to additional apps that launch hidden WebViews and load threat actor-controlled domains to serve ads. The operation is described as self‑sustaining, turning organic installs into a revenue pipeline for follow-on malvertising, with HTML5 cashout sites appearing in its pattern history.
According to HUMAN, the threat actors also abuse install attribution tools to tailor malicious activity to downloads acquired through ad campaigns while suppressing it for organic downloads; following disclosure, Google has removed identified malicious apps from the Google Play Store.