Trapdoor Android ad fraud: 455 apps, 24M downloads, 659M daily bid requests, selective activation via attribution tools
HUMAN Security has detailed Trapdoor, an Android ad-fraud and malvertising operation that pushed 455 apps with more than 24 million combined Play Store downloads and drove an average of 659 million daily ad-bid requests, three-quarters of them from US devices. The operators run their own ad campaigns to recruit victims, then use legitimate install-attribution tools to switch on fraud only for users who came in through those campaigns, suppressing the bad behavior for anyone who installed organically - which kept Google's reviewers and most security researchers in the dark. Google has now removed all identified apps from the Play Store.
- Check
- Use MDM to inventory any Trapdoor app from HUMAN's published list on managed Android devices. Look for outbound traffic to HTML5 cashout domains in your DNS logs.
- Affected
- Android users who downloaded Trapdoor apps after clicking attribution-tagged ads. The campaign is invisible to users who installed the same apps organically.
- Fix
- MDM-uninstall the named apps and block their package IDs. Restrict Android sideloading on managed devices. Review attribution-provider settings to limit click campaigns' ability to flag malicious behavior.