Android users beware — this huge fraud scam campaign hit millions of victims around the world, make sure you're not next

News
By published

Researchers found hundreds of malicious apps on the Play Store

Man looking at smartphone
Behöver du en VPN till din Android? (Image credit: Shutterstock)
  • Trapdoor is an ad fraud campaign using 455 Android apps and 183 C2 domains
  • The apps tricked users into fake updates, then secretly launched invisible WebViews to generate 659 million fraudulent ad bid requests daily
  • Google removed the 24M+ downloaded apps after disclosure, with researchers warning of malvertising pipelines built from everyday installs

Security researchers have discovered and dismantled a major ad fraud and advertising operation that comprised hundreds of Android apps, and probably generated millions of dollars in profits.

Human Security researchers from the Satori team claim the Trapdoor campaign used 455 applications and 183 command-and-control (C2) domains.

It started on the Google Play Store, where victims were offered seemingly benign utility apps, such as PDF readers, and similar. These apps worked as intended and did nothing that would suggest malicious behavior (for example, asked for extensive permissions or tried to exfiltrate data to a third-party server). However, soon after installation, the apps would display a pop-up window that they need to be updated.

Latest Videos From

Hundreds of millions of bid requests

This update is essentially fake, and triggering it actually downloads an entirely different app. That app, which does its best to stay hidden on the device, also launches invisible WebViews, loads HTML5 domains under the attackers’ control, and then requests ads.

Through these ads, that no one ever really sees, the threat actors stole money from advertisers, as well as companies using ad networks to promote their products and services.

According to the Human Security report, at its peak, Trapdoor accounted for 659 million bid requests a day, meaning advertisers were bidding on 659 million fake ad opportunities every day. Furthermore, the apps associated with the threat have been downloaded more than 24 million times.

After notifying Google about their findings, the Play Store maker removed all of the identified malicious apps from its app repository. You can find the full list of the apps on this link, and if you see anything you’re using, make sure to uninstall it from all of your devices.

"Trapdoor is a reminder that threats to the digital advertising ecosystem do not neatly fall into single categories," Human Security noted. "By fusing malvertising distribution with hidden ad fraud monetization, Trapdoor creates a pipeline in which each stage fuels the next: malvertising drives secondary app installs, those apps generate fraudulent ad revenue, and that revenue can fund further malvertising campaigns."

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Google logo on a black background next to text reading 'Click to follow TechRadar'

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.