Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Trapdoor Android malvertising and ad-fraud campaign

Campaign
First reported
Last updated
Happening score
H score 39
1 unique sources, 1 articles

Summary

Hide ▲

The Trapdoor campaign is a self-sustaining malvertising and ad-fraud operation targeting Android users and turning app installs into revenue through threat-actor-controlled infrastructure. It spans 455 malicious Android apps and 183 C2 domains, showing a broad, repeated distribution and monetization pattern. The operation matters because it uses hidden WebViews, HTML5 cashout sites, and selective activation to keep fraud active while evading detection.

Related Happenings

Premium Deception Android malware campaign

Campaign
First: 20.05.2026 18:30 Last: 20.05.2026 18:30 Sources 1

About this happening: The **Premium Deception** campaign used **nearly 250 fake Android apps** to enroll victims in premium mobile billing subscriptions, creating direct fraud risk across multiple coun...

Open Happening

AI-driven attack surge against customer-facing mobile apps in 2026

Target Trend
First: 19.05.2026 15:00 Last: 19.05.2026 15:00 Sources 1

About this happening: **Customer-facing mobile apps** faced a sharp rise in attacks in **2026**, with **87%** of monitored apps hit versus **55% in 2022**. The trend matters because **agentic AI** is l...

Open Happening

FakeWallet crypto wallet phishing campaign targeting users in China

Campaign
First: 21.04.2026 00:52 Last: 21.04.2026 00:52 Sources 1

About this happening: The **FakeWallet** campaign is actively distributing **26 malicious apps** that impersonate crypto wallets and steal **seed phrases**, putting **users in China** at immediate risk...

Latest development: 24.04.2026 14:48

Kaspersky said the FakeWallet campaign is gaining momentum with new tactics, including phishing apps published in the Apple App Store, cold wallet impersonation, and phishing notifications, and suspected it may be the work of threat actors linked to SparkKitty because some infected apps use OCR to steal wallet recovery phrases and the two campaigns share native Chinese-speaking operators and cryptocurrency targeting.

Open Happening

Mirax social media ad campaign targeting Spanish-speaking users

Campaign
First: 13.04.2026 17:30 Last: 13.04.2026 17:30 Sources 1

About this happening: The **Mirax** distribution campaign is using **social media advertisements** and **fake IPTV or streaming apps** to reach **Spanish-speaking users** at scale, raising the risk of...

Open Happening

Mirax Android banking trojan with residential proxy nodes

Malware Activity
First: 13.04.2026 17:30 Last: 13.04.2026 17:30 Sources 1

About this happening: Mirax is spreading across **Europe** with **remote access** and **residential proxy** features, increasing the risk of device compromise, data theft, and traffic abuse. The Androi...

Open Happening

Timeline

  1. 19.05.2026 19:38 2 articles · 8d ago

    Trapdoor Android malvertising campaign disclosed and malicious apps removed from Google Play Store

    Initial Disclosure

    Researchers disclosed Trapdoor, a new ad fraud and malvertising operation targeting Android device users that used 455 malicious Android apps and 183 threat actor-owned command-and-control domains to drive multi-stage fraud. The campaign blended malvertising distribution with hidden ad-fraud monetization, using utility-style apps, hidden WebViews, HTML5 cashout sites, install attribution abuse, selective activation for ad-sourced installs, and obfuscation or anti-analysis techniques; at peak it generated 659 million bid requests a day and the linked apps were downloaded more than 24 million times, with traffic primarily originating from the U.S. Following responsible disclosure, Google removed the identified malicious apps from the Google Play Store.

    Show sources
    Open in new tab