- Trapdoor is an ad fraud campaign that uses 455 Android apps and 183 C2 domains
- Apps tricked users into fake updates, then secretly launched invisible WebViews to generate 659 million fraudulent ad bid requests daily
- Google removed the 24M+ downloaded apps after the revelation, with researchers warning of malvertising pipelines built from daily installs
Security researchers have discovered and dismantled a major ad fraud and advertising operation that involved hundreds of Android apps and likely generated millions of dollars in profits.
Human Security researchers from the Satori team claim that the Trapdoor campaign used 455 applications and 183 command-and-control (C2) domains.
It started in the Google Play Store, where victims were offered seemingly benign utility apps, such as PDF readers and the like. These apps worked as intended and did nothing to indicate malicious behavior (for example, asking for extensive permissions or trying to exfiltrate data to a third-party server). However, shortly after installation, the apps would show a pop-up asking them to update.
Hundreds of millions of bid requests
This update is essentially fake and when triggered, it actually downloads a completely different app. This app, which does its best to remain hidden on the device, also launches invisible WebViews, loads HTML5 domains under the attacker’s control, and then requests ads.
Through these ads, which no one ever really sees, the threat actors stole money from advertisers, as well as companies that use ad networks to promote their products and services.
According to the Human Security report, Trapdoor peaked at 659 million bid requests per day, which means advertisers are offering 659 million fake ad opportunities every day. Furthermore, the apps associated with the threat have been downloaded more than 24 million times.
After notifying Google of their findings, the Play Store maker removed all the identified malicious apps from its app store. You can find the full list of apps at this link, and if you see something you’re using, be sure to uninstall it from all your devices.
“Trapdoor is a reminder that threats to the digital advertising ecosystem do not fit neatly into single categories,” noted Human Security. “By combining malvertising distribution with hidden ad fraud monetization, Trapdoor creates a pipeline where each step fuels the next: Malvertising drives secondary app installs, those apps fraudulently generate ad revenue, and that revenue can fund additional malvertising campaigns.”
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.
