Trapdoor Android ad fraud operation leveraging 455 malicious apps and selective activation techniques disrupted

First reported

19.05.2026 19:38

Last updated

1 unique sources, 1 articles

Summary

Hide ▲

A large-scale Android ad fraud and malvertising operation named Trapdoor was uncovered, utilizing 455 malicious utility-style apps and 183 threat actor-owned C2 domains to generate 659 million daily bid requests. The campaign operated as a self-sustaining revenue cycle, where initial app installs triggered malvertising that coerced users into downloading secondary apps, which then performed hidden ad fraud via automated touch fraud and concealed WebView ad requests. Traffic was predominantly U.S.-based, accounting for over 75% of volume, and the operation peaked at 24 million total app downloads. Selective activation techniques ensured fraudulent behavior was triggered only for users acquired through threat actor-run ad campaigns, while organic downloads remained unaffected. Google removed all identified malicious apps from the Play Store following responsible disclosure.

Timeline

19.05.2026 19:38 1 articles · 23h ago

Trapdoor Android ad fraud operation with 659 million daily bid requests disrupted after responsible disclosure
A large-scale Android ad fraud and malvertising operation named Trapdoor was disrupted following responsible disclosure to Google. The campaign used 455 malicious utility-style apps and 183 C2 domains to generate 659 million daily bid requests and 24 million total downloads, with over 75% of traffic originating from the U.S. The operation relied on a multi-stage fraud model where initial app installs triggered malvertising to coerce users into installing secondary apps, which then performed hidden ad fraud via automated touch fraud and concealed WebView ad requests. Selective activation via install attribution tools ensured fraudulent behavior was triggered only for users acquired through threat actor-run ad campaigns, while organic downloads remained unaffected. Trapdoor employed anti-analysis and obfuscation techniques, including impersonation of legitimate SDKs, to evade detection before Google removed all identified malicious apps from the Play Store.
Show sources

Trapdoor Android Ad Fraud Scheme Hit 659 Million Daily Bid Requests Using 455 Apps — thehackernews.com — 19.05.2026 19:38
Open in new tab

Information Snippets

The Trapdoor operation comprised 455 malicious Android apps, primarily utility-style applications such as PDF viewers or device cleanup tools, and 183 threat actor-owned command-and-control (C2) domains.
First reported: 19.05.2026 19:38

1 source, 1 article
Show sources
- Trapdoor Android Ad Fraud Scheme Hit 659 Million Daily Bid Requests Using 455 Apps — thehackernews.com — 19.05.2026 19:38
At its peak, Trapdoor generated 659 million bid requests daily and was downloaded more than 24 million times, with over 75% of traffic originating from the U.S.
First reported: 19.05.2026 19:38

1 source, 1 article
Show sources
- Trapdoor Android Ad Fraud Scheme Hit 659 Million Daily Bid Requests Using 455 Apps — thehackernews.com — 19.05.2026 19:38
The scheme operated as a multi-stage fraud pipeline: initial app installs triggered malvertising that pushed secondary apps, which then launched hidden WebViews to load threat actor-controlled HTML5 cashout domains and request ads.
First reported: 19.05.2026 19:38

1 source, 1 article
Show sources
- Trapdoor Android Ad Fraud Scheme Hit 659 Million Daily Bid Requests Using 455 Apps — thehackernews.com — 19.05.2026 19:38
Selective activation was implemented using install attribution tools, enabling malicious behavior only for users acquired via threat actor-run ad campaigns while suppressing it for organic downloads.
First reported: 19.05.2026 19:38

1 source, 1 article
Show sources
- Trapdoor Android Ad Fraud Scheme Hit 659 Million Daily Bid Requests Using 455 Apps — thehackernews.com — 19.05.2026 19:38
The secondary-stage apps performed automated touch fraud and concealed ad requests, while primary apps displayed fake update pop-ups to coerce users into installing further malicious apps.
First reported: 19.05.2026 19:38

1 source, 1 article
Show sources
- Trapdoor Android Ad Fraud Scheme Hit 659 Million Daily Bid Requests Using 455 Apps — thehackernews.com — 19.05.2026 19:38
Trapdoor employed anti-analysis and obfuscation techniques, including impersonating legitimate SDKs, to evade detection and blend into normal app behavior.
First reported: 19.05.2026 19:38

1 source, 1 article
Show sources
- Trapdoor Android Ad Fraud Scheme Hit 659 Million Daily Bid Requests Using 455 Apps — thehackernews.com — 19.05.2026 19:38
Google removed all identified malicious apps from the Google Play Store following responsible disclosure, effectively neutralizing the operation.
First reported: 19.05.2026 19:38

1 source, 1 article
Show sources
- Trapdoor Android Ad Fraud Scheme Hit 659 Million Daily Bid Requests Using 455 Apps — thehackernews.com — 19.05.2026 19:38

Summary

Timeline

Trapdoor Android ad fraud operation with 659 million daily bid requests disrupted after responsible disclosure

Information Snippets