Cybersecurity researchers have revealed details of a new ad fraud and malvertising operation called “Trapdoor” targeting Android device users.
According to HUMAN’s Satori Threat Intelligence and Research Team, this activity involved 455 malicious Android apps and 183 threat actor-owned command and control (C2) domains, turning the infrastructure into a multi-stage fraud pipeline.
“Users unknowingly download apps owned by threat actors, often utility-style apps such as PDF viewers or device cleanup tools,” researchers Luisa Abel, Ryan Joy, João Marquez, João Santos, and Adam Sell detailed in a report shared with Hacker News.
“These apps launch malvertising campaigns that force users to download apps owned by additional threat actors. The secondary apps launch hidden WebViews, load HTML5 domains owned by threat actors, and request advertisements.”
The cybersecurity firm added that the campaign is self-sustaining in that organic app installs can be turned into illegal revenue generation cycles that can be used to fund subsequent malvertising campaigns. One notable aspect of this activity is the use of HTML5-based cashout sites. This is a pattern observed in previous threat clusters tracked as SlopAds, Low5, and BADBOX 2.0.
At the peak of the operation, the trapdoor recorded 659 million bid requests per day, and Android apps linked to the scheme were downloaded more than 24 million times. Traffic associated with this campaign primarily came from the United States, which accounted for more than three-quarters of the traffic volume.
“The attackers behind Trapdoor also exploit install attribution tools (technology designed to allow legitimate marketers to track how users discover their apps) to enable malicious behavior only on users acquired through advertising campaigns run by the threat actor, and suppress it for organic downloads of associated apps,” HUMAN said.
Trapdoor combines two different approaches: malvertising distribution and monetization through covert ad fraud. In this case, unsuspecting users end up downloading a fake app disguised as a seemingly harmless utility. This utility acts as a conduit for serving malicious ads to other Trapdoor apps. In addition to performing auto-touch fraud, these apps are designed to launch hidden WebViews, load washout domains controlled by threat actors, and request advertisements.
Please note that only second stage apps are used to commit fraud. When a naturally downloaded app is launched, it displays a fake pop-up alert that mimics an app update message to trick the user into installing the next stage of the app.
This behavior also indicates that the payload will only be activated for victims of the advertising campaign. This means that people who directly download or sideload apps from the Play Store are not targeted. In addition to this selective activation technique, Trapdoor uses various anti-analysis and obfuscation techniques to evade detection.
“This operation uses real, everyday software and multiple obfuscation and anti-analysis techniques (including blending disguised legitimate SDKs) to blend malvertising delivery, covert ad fraud monetization, and multi-stage malware delivery,” said Lindsay Kaye, VP of Threat Intelligence at HUMAN.
Following responsible disclosure, Google has taken steps to remove all identified malicious apps from the Google Play Store, effectively neutralizing their operations. A complete list of Android apps is available here.
“Trapdoor shows how determined fraudsters are turning everyday app installs into self-funding pipelines for malvertising and ad fraud,” said Gavin Reid, chief information security officer at Human. “This is another example of attackers leveraging legitimate tools, such as attribution software, to aid their fraud and evade detection.”
“Through a chain of utility apps, HTML5 cache-out domains, and selective activation techniques that hide them from researchers, these threat actors are constantly evolving, and our Satori team is working to track them down and disrupt them at scale.”
Source link
