Find notable cyber news and cases, enriched with sources, timelines, and signals.

Trapdoor Android malvertising and ad-fraud campaign

Campaign
First reported
Last updated
Happening score
H score 39
1 unique sources, 1 articles

Summary

Hide ▲

The Trapdoor campaign is a self-sustaining malvertising and ad-fraud operation targeting Android users and turning app installs into revenue through threat-actor-controlled infrastructure. It spans 455 malicious Android apps and 183 C2 domains, showing a broad, repeated distribution and monetization pattern. The operation matters because it uses hidden WebViews, HTML5 cashout sites, and selective activation to keep fraud active while evading detection.

Related Happenings

Google Play Protect adds warnings and app disabling for compromised SDK abuse

Security Tool/Service
H score11 First: 03.07.2026 12:35 Last: 03.07.2026 12:35 Sources 1

About this happening: **Google Play Protect** was updated in **July 2026** to **warn Android users automatically** and **disable apps** tied to **compromised SDKs**, limiting abuse of consumer devices...

Commercial adware and traffic-attribution-fraud affiliate operation using Chrome extensions

Threat Actor Meta
H score20 First: 15.06.2026 14:07 Last: 15.06.2026 14:07 Sources 1

About this happening: Researchers found a **commercial adware** and **traffic-attribution-fraud affiliate operation** abusing **Chrome extensions** to fabricate traffic signals and monetize installs, i...

Magecart Stripe and Google Tag Manager card-skimming campaign

Campaign
H score36 First: 04.06.2026 23:47 Last: 04.06.2026 23:47 Sources 1

About this happening: The **Magecart** campaign is abusing **Stripe's API infrastructure** and **Google Tag Manager** containers to steal checkout data from **Magento/Adobe Commerce** stores. The skimm...

BTMOB Android MaaS platform expands low-code phishing payload production

Threat Actor Meta
H score21 First: 29.05.2026 00:10 Last: 29.05.2026 00:10 Sources 1

About this happening: **BTMOB** has been exposed as a **malware-as-a-service** Android trojan with a **builder interface**, making it easier for cybercriminals to mass-produce tailored phishing payload...

Grandoreiro and BTMOB banking trojan activity targeting Windows and Android

Malware Activity
H score25 First: 27.05.2026 19:10 Last: 27.05.2026 19:10 Sources 1

About this happening: **BTMOB** is an **Android remote access trojan** sold as **malware-as-a-service** on the **clearweb** and in private **Telegram** channels, with a builder that generates customize...

Timeline

  1. 19.05.2026 19:38 2 articles · 1mo ago

    Trapdoor Android malvertising campaign disclosed and malicious apps removed from Google Play Store

    Initial Disclosure

    Researchers disclosed Trapdoor, a new ad fraud and malvertising operation targeting Android device users that used 455 malicious Android apps and 183 threat actor-owned command-and-control domains to drive multi-stage fraud. The campaign blended malvertising distribution with hidden ad-fraud monetization, using utility-style apps, hidden WebViews, HTML5 cashout sites, install attribution abuse, selective activation for ad-sourced installs, and obfuscation or anti-analysis techniques; at peak it generated 659 million bid requests a day and the linked apps were downloaded more than 24 million times, with traffic primarily originating from the U.S. Following responsible disclosure, Google removed the identified malicious apps from the Google Play Store.

    Show sources