In a nutshell: The Trapdoor operation abused attribution software and multi-stage app chain installation to selectively activate ad fraud while leaving legitimate direct downloads undetected.
A network of 455 malicious Android apps generated up to 659 million ad requests daily and reached over 24 million downloads. The Trapdoor operation, removed from Google Play, combined phishing apps with hidden ad fraud and leveraged attribution tools to infect only targeted advertised downloads.
Security firm HUMAN documented a two-stage infection chain: users install an apparently harmless utility app such as a PDF viewer or cleaning tool. This first app triggers malvertising campaigns and generates fake update notifications leading to a second, malicious app. Only this secondary app activates the actual fraud function — hidden in WebViews that load to 183 controlled C2 domains and automatically request ad placements. A key characteristic: activation occurs selectively only for users installed through paid campaigns by the attackers. Organic direct installations or sideloads remain undetected.
The fraud is self-reinforcing. Revenue from hidden ad fraud finances new malvertising campaigns, which in turn spread more infected apps. The majority of the 659 million daily requests originated from the United States (over 75 percent). Trapdoor used HTML5-based payout pages, a pattern previously observed in earlier fraud networks such as SlopAds, Low5, and BADBOX 2.0. The affected apps employed obfuscation and anti-analysis techniques, such as imitating legitimate SDKs, to evade detection.
Following responsible disclosure, Google removed all 455 identified apps from the Play Store, effectively neutralizing the operation.
Source: ainews-dev.lumi-systems.io · Published May 19, 2026
Lumi AI News — AI-assisted curation according to Article 50 EU AI Act. Paraphrasing and classification by Lumi News Pipeline v1.5.2.