Trapdoor Android malvertising and ad-fraud campaign
Campaign
Summary
Hide ▲
Show ▼
The Trapdoor campaign is a self-sustaining malvertising and ad-fraud operation targeting Android users and turning app installs into revenue through threat-actor-controlled infrastructure. It spans 455 malicious Android apps and 183 C2 domains, showing a broad, repeated distribution and monetization pattern. The operation matters because it uses hidden WebViews, HTML5 cashout sites, and selective activation to keep fraud active while evading detection.
Related Happenings
Google Play Protect adds warnings and app disabling for compromised SDK abuse
Security Tool/Service
H score11
First: 03.07.2026 12:35
Last: 03.07.2026 12:35
Sources 1
About this happening:
**Google Play Protect** was updated in **July 2026** to **warn Android users automatically** and **disable apps** tied to **compromised SDKs**, limiting abuse of consumer devices...
Google Play Protect adds warnings and app disabling for compromised SDK abuse
Security Tool/ServiceAbout this happening: **Google Play Protect** was updated in **July 2026** to **warn Android users automatically** and **disable apps** tied to **compromised SDKs**, limiting abuse of consumer devices...
Commercial adware and traffic-attribution-fraud affiliate operation using Chrome extensions
Threat Actor Meta
H score20
First: 15.06.2026 14:07
Last: 15.06.2026 14:07
Sources 1
About this happening:
Researchers found a **commercial adware** and **traffic-attribution-fraud affiliate operation** abusing **Chrome extensions** to fabricate traffic signals and monetize installs, i...
Commercial adware and traffic-attribution-fraud affiliate operation using Chrome extensions
Threat Actor MetaAbout this happening: Researchers found a **commercial adware** and **traffic-attribution-fraud affiliate operation** abusing **Chrome extensions** to fabricate traffic signals and monetize installs, i...
Magecart Stripe and Google Tag Manager card-skimming campaign
Campaign
H score36
First: 04.06.2026 23:47
Last: 04.06.2026 23:47
Sources 1
About this happening:
The **Magecart** campaign is abusing **Stripe's API infrastructure** and **Google Tag Manager** containers to steal checkout data from **Magento/Adobe Commerce** stores. The skimm...
Magecart Stripe and Google Tag Manager card-skimming campaign
CampaignAbout this happening: The **Magecart** campaign is abusing **Stripe's API infrastructure** and **Google Tag Manager** containers to steal checkout data from **Magento/Adobe Commerce** stores. The skimm...
BTMOB Android MaaS platform expands low-code phishing payload production
Threat Actor Meta
H score21
First: 29.05.2026 00:10
Last: 29.05.2026 00:10
Sources 1
About this happening:
**BTMOB** has been exposed as a **malware-as-a-service** Android trojan with a **builder interface**, making it easier for cybercriminals to mass-produce tailored phishing payload...
BTMOB Android MaaS platform expands low-code phishing payload production
Threat Actor MetaAbout this happening: **BTMOB** has been exposed as a **malware-as-a-service** Android trojan with a **builder interface**, making it easier for cybercriminals to mass-produce tailored phishing payload...
Grandoreiro and BTMOB banking trojan activity targeting Windows and Android
Malware Activity
H score25
First: 27.05.2026 19:10
Last: 27.05.2026 19:10
Sources 1
About this happening:
**BTMOB** is an **Android remote access trojan** sold as **malware-as-a-service** on the **clearweb** and in private **Telegram** channels, with a builder that generates customize...
Grandoreiro and BTMOB banking trojan activity targeting Windows and Android
Malware ActivityAbout this happening: **BTMOB** is an **Android remote access trojan** sold as **malware-as-a-service** on the **clearweb** and in private **Telegram** channels, with a builder that generates customize...
Timeline
-
19.05.2026 19:38 2 articles · 1mo ago
Trapdoor Android malvertising campaign disclosed and malicious apps removed from Google Play Store
Initial DisclosureResearchers disclosed Trapdoor, a new ad fraud and malvertising operation targeting Android device users that used 455 malicious Android apps and 183 threat actor-owned command-and-control domains to drive multi-stage fraud. The campaign blended malvertising distribution with hidden ad-fraud monetization, using utility-style apps, hidden WebViews, HTML5 cashout sites, install attribution abuse, selective activation for ad-sourced installs, and obfuscation or anti-analysis techniques; at peak it generated 659 million bid requests a day and the linked apps were downloaded more than 24 million times, with traffic primarily originating from the U.S. Following responsible disclosure, Google removed the identified malicious apps from the Google Play Store.
Show sources
- Trapdoor Android Ad Fraud Scheme Hit 659 Million Daily Bid Requests Using 455 Apps — thehackernews.com — 19.05.2026 19:38
- Trapdoor Android Ad Fraud Scheme Hit 659 Million Daily Bid Requests Using 455 Apps — thehackernews.com — 19.05.2026 19:38