Cybersecurity firm **HUMAN**'s Satori Threat Intelligence and Research Team has revealed details of **Trapdoor**, a sophisticated ad fraud and malvertising operation targeting **Android** devices. The operation involved 455 malicious **Android** apps and 183 command-and-control (C2) domains, creating a multi-stage fraud infrastructure. ### Trapdoor's Modus Operandi According to researchers Louisa Abel, Ryan Joye, João Marques, João Santos, and Adam Sell, users are tricked into downloading seemingly benign utility apps (like PDF viewers or device cleanup tools) that act as conduits for malvertising. These initial apps then coerce users into downloading additional threat actor-owned apps. These secondary apps launch hidden WebViews, load threat actor-owned HTML5 domains, and request ads, generating fraudulent revenue.  ### Scale and Tactics At its peak, **Trapdoor** generated 659 million bid requests daily, with associated **Android** apps downloaded over 24 million times. The majority of traffic originated from the U.S. The threat actors also abused install attribution tools to selectively enable malicious behavior only for users acquired through their ad campaigns, while suppressing it for organic downloads. This evasion technique allowed them to operate under the radar.  This campaign shares similarities with previous ad fraud operations like **SlopAds**, **Low5**, and **BADBOX 2.0**, particularly in its use of HTML5-based cashout sites. ### Selective Activation and Evasion Notably, only the second-stage apps are used to trigger fraud. The initial, organically downloaded apps serve fake update alerts to trick users into installing the malicious secondary apps. This selective activation, combined with anti-analysis and obfuscation techniques, helped **Trapdoor** avoid detection. ### Mitigation and Response Following a responsible disclosure, **Google** removed all identified malicious apps from the **Google Play Store**, effectively neutralizing the operation. A complete list of the removed apps is available [here](https://humanprod.wpenginepowered.com/wp-content/uploads/Trapdoor-Apps.html). "Trapdoor shows how determined fraudsters turn everyday app installs into a self-funding pipeline for malvertising and ad fraud," said Gavin Reid, chief information security officer at **HUMAN**. He further highlighted the threat actors' use of legitimate tools, such as attribution software, to aid in their fraud campaigns and evade detection. Lindsay Kaye, vice president of threat intelligence at **HUMAN**, noted that the operation used real software and multiple obfuscation techniques, such as impersonating legitimate SDKs, to blend in.