Trapdoor Android Ad Fraud Scheme Hits 659 Million Daily Bid Requests Using 455 Apps
Cybersecurity researchers have revealed details of a new ad fraud and malware called The Trapdoor targeting Android device users.
The operation, according to HUMAN’s Satori Threat Intelligence and Research team, included 455 malicious Android applications and 183 command and control (C2) domains for threat actors, turning the infrastructure into a multi-stage fraud pipeline.
“Users unknowingly download an application hosted by a threat actor, usually a utility-style application such as a PDF viewer or device cleaning tool,” researchers Louisa Abel, Ryan Joye, João Marques, João Santos, and Adam Sell detailed in a report shared with Hacker News.
“These apps run deceptive campaigns that force users to download malicious apps for actors. The secondary apps open hidden WebViews, load HTML5 domains hosted by the actor, and request ads.”
The campaign, the cybersecurity company added, is self-sustaining because live app installs turn into an illegal revenue generation cycle that can be used to fund successive fraud campaigns. One notable feature of the operation is the use of HTML5-based extortion sites, a pattern seen in previously tracked threat clusters such as SlopAds, Low5, and BADBOX 2.0.
At the peak of activity, Trapdoor submitted 659 million bid requests per day, Android applications connected to the system were downloaded more than 24 million times. Traffic associated with the campaign primarily came from the US, which accounted for more than three-quarters of the traffic volume.
“Creepy actors behind Trapdoor are also abusing embedding tools (technology designed to help legitimate advertisers track how users access apps) to enable malicious behavior only on users who are recruited through ad campaigns run by the creepy actors, while suppressing downloads of related apps,” HUMAN said.
Trapdoor combines two different methods, wrongful distribution and monetization of hidden ad fraud, where unsuspecting users end up downloading fake applications that masquerade as seemingly harmless services that act as a conduit for serving malicious ads to other Trapdoor applications, designed to perform automated touch fraud, and the introduction of hidden washouts control applications, requested WebViews for loading.
It is worth noting that only the second stage application is used to detect fraud. Once a naturally downloaded app is launched, it provides fake pop-up alerts that mimic app update messages to trick users into installing the next-level app.
This behavior also indicates that the payload is only open to those who become victims of the advertising campaign. In other words, anyone who downloads an app from the Google Play Store or sideloads it will not be identified. Apart from this selective activation process, Trapdoor uses different analysis and obfuscation techniques to avoid detection.
“This operation uses real, day-to-day software and multiple obfuscation and counter-analysis techniques – such as masquerading as legitimate SDKs for integration – to help facilitate malicious distribution, monetize hidden ads, and distribute multi-stage malware,” said Lindsay Kaye, HUMAN’s vice president of threat intelligence.
Following responsible disclosure, Google has taken steps to remove all identified malicious apps from the Google Play Store, making the task easier. The complete list of Android apps is available here.
“Trapdoor shows how serious fraudsters are turning everyday app installs into a self-funding pipeline for fraud and ad fraud,” said Gavin Reid, chief information security officer at HUMAN. “This is another case of threat actors choosing legitimate tools – such as hacking software – to aid in their fraud campaigns and help them avoid detection.”
“By bringing together consumer applications, HTML5 mining platforms, and unlocking methods that hide themselves from researchers, these actors are constantly evolving, and our Satori team is committed to tracking and disrupting them at scale.”
