A large-scale ad fraud operation called Trapdoor has been discovered targeting Android users through 455 malicious apps, quietly generating fake ad clicks and draining real advertising budgets across the digital ecosystem.
At its peak, the operation produced 659 million fraudulent bid requests in a single day and accumulated well over 24 million downloads on affected devices around the world.
What makes Trapdoor particularly dangerous is how ordinary it looks at first glance. The apps in this scheme pose as simple utility tools: PDF viewers, file managers, and device cleanup apps that any everyday user might download without much concern.
Once installed, these apps do not immediately launch malicious activity. Instead, they push fake ads warning the user that the app is outdated and needs an urgent update.
When the user taps through on that prompt, they unknowingly end up installing a second, more harmful app controlled by the same threat actors.
Researchers at HUMAN’s Satori Threat Intelligence and Research Team, including Louisa Abel, Ryan Joye, João Marques, João Santos, and Adam Sell, identified and disrupted the operation.
Trapdoor threat (zSource – Human)
HUMAN Security said in a report shared with Cyber Security News (CSN) that the campaign fuses malvertising and ad fraud within a single connected pipeline, making it one of the more technically layered threats uncovered in the Android ecosystem in recent memory.
The secondary apps are where the real fraud takes place. Once installed, they launch hidden browser windows loading threat actor-owned HTML5 domains and automatically interact with ads without the user seeing anything at all.
Trapdoor Android Ad Fraud Operation
This generates revenue for the attackers while burning legitimate advertiser budgets on clicks that no real person ever made.
Those earnings can then fund additional malvertising campaigns, creating a self-sustaining loop that keeps the operation alive.
Google has removed all identified apps from the Play Store following responsible disclosure. Researchers noted that threat actors were still publishing new apps and cycling through fresh domains even while the report was being finalized, showing no sign of stopping.
Trapdoor moves through four connected stages: distribution, activation, payload delivery, and monetization. The first stage relies on app stores, where users willingly download apps that appear helpful and harmless.
Initial apps are kept clean enough to pass basic security review checks and avoid raising early suspicion. After installation, the first app begins serving fake ads shaped like urgent update alerts.
These prompts feel credible and familiar, exploiting the common habit of tapping through app notifications without careful inspection. Users who fall for it end up installing a second app, which is the true payload carrier in this operation.
The second app hides its activity inside fullscreen browser windows the user never sees. These hidden windows load HTML5 pages on threat actor-owned domains and execute scripted touch gestures targeting specific ad placements.
The gesture data comes from two bundled files, move.txt and click.txt, which map exact screen coordinates and timing so fake clicks appear genuinely human.
Evasion Tactics That Complicate Detection
One of Trapdoor’s most notable traits is how effectively it avoids being spotted. The malicious workflow never activates for organic downloads, meaning an analyst who pulls the app from the Play Store directly sees nothing harmful.
Fraud only triggers for users who arrived through the threat actors’ paid campaigns, confirmed by a marketing attribution tracker value within the install record.
Beyond this selective trigger, the apps use code packing, string encryption, and code virtualization to slow down reverse engineering attempts significantly.
Some variants also impersonate legitimate advertising tools at the code level, helping malicious logic pass initial inspection.
The apps additionally check for VPN activity and debugging indicators, suppressing all malicious behavior the moment either is found.
Users are advised to avoid utility-style apps from unfamiliar developers and to read permission requests carefully before installing anything new.
Removing apps no longer in use and keeping devices updated with current security patches are straightforward habits that meaningfully reduce exposure to operations like Trapdoor.
Indicators of Compromise (IoCs):-
The following table reflects the IoC types and key technical artifacts confirmed within the operation:-
TypeIndicatorDescriptionFile Namemove.txtBundled file containing pre-programmed swipe/movement gesture coordinates used for automated ad interactionFile Nameclick.txtBundled file containing tap coordinates and timing data used to simulate human ad clicksC2 Domain List183 threat actor-owned domains (full list: CSV)Command-and-control domains serving click configuration, HTML5 cashout pages, and anti-analysis signalsMalicious App List455 Android apps (full list: CSV)Threat actor-owned Android applications used to distribute Trapdoor and carry out ad fraudAPI Endpoint/api/referrerC2 endpoint used to deliver anti-analysis signals including rooted-device checks, debugging indicators, and VPN detectionClass/File TypeFake SDK classCode structure impersonating a legitimate advertising SDK to evade static analysisData ClassTouchConfig / TouchDataDeserialized model classes used to execute automated touch events via Android’s dispatchTouchEvent
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post Trapdoor Android Ad Fraud Operation Uses 455 Malicious Apps to Generate Fake Clicks appeared first on Cyber Security News.
