Cybersecurity researchers have uncovered a massive global ad fraud and malvertising operation targeting Android users, dubbed “Trapdoor.” According to the report, the operation involved more than 455 malicious Android applications and 183 command-and-control (C2) domains. Investigators found that the network was generating nearly 659 million fake advertising bid requests every day, allegedly enabling cybercriminals to illegally profit from the digital advertising ecosystem.
FCRF’s Flagship Cyber Law Certification Returns With a New Four-Week Cohort
Researchers said the malicious campaign relied on seemingly harmless utility-style applications such as PDF viewers, device cleaners and phone optimization tools. Unsuspecting users downloaded these apps believing they were legitimate, but once installed, the applications secretly triggered the download and promotion of secondary malicious apps while simultaneously activating fraudulent advertising activity in the background.
According to investigators, one of the most alarming aspects of the operation was its “self-sustaining fraud model.” Once a user installed one fake application, the same app acted as a distribution channel for additional malicious apps, helping cybercriminals continuously expand the network and generate illicit advertising revenue through fake traffic and automated interactions.
The report stated that second-stage apps launched hidden WebViews that loaded attacker-controlled HTML5 websites. These apps then generated fake ad requests and automated click activity in the background without the user’s knowledge. Cybersecurity experts said the operation was designed for “ad fraud monetization,” where advertising platforms are manipulated using fabricated traffic, fake impressions and false user engagement metrics.
Researchers also discovered that the operators abused install attribution tools — technology normally used by legitimate marketers to understand how users discover and install apps. In the Trapdoor campaign, however, these tools were allegedly used to selectively activate malicious behavior only for users who downloaded apps through threat actor-controlled advertising campaigns. Users who installed the same apps directly from the Google Play Store or through sideloading often did not encounter the malicious behavior, making detection significantly more difficult.
According to the findings, apps linked to the operation were downloaded more than 24 million times. The majority of the traffic reportedly originated from the United States, accounting for more than three-fourths of the campaign’s activity. Researchers noted that the operators used sophisticated anti-analysis and obfuscation techniques to evade security researchers, automated scanning systems and app store monitoring mechanisms.
Renowned cyber crime expert and former IPS officer Prof. Triveni Singh said the case demonstrates how cybercriminals are increasingly moving beyond traditional malware operations and targeting the digital advertising ecosystem in a highly organised manner. He noted that fake utility apps, deceptive update pop-ups, hidden WebViews and background advertising traffic are being used not only to defraud advertising companies but also to create significant risks for user privacy and mobile device security.
Following the investigation, Google initiated action to remove the identified malicious applications from the Play Store. However, cybersecurity experts warned that such networks frequently re-emerge under new identities, using renamed applications and modified infrastructure to bypass detection systems.
Experts have advised Android users to exercise caution before downloading unknown utility applications. Users are encouraged to verify developer credentials, app permissions, reviews and download histories before installation. Security professionals also recommend downloading apps only from trusted sources and ensuring that mobile devices remain updated with the latest security patches and protection tools.
