One of the many benefits of our Satori Threat Intelligence and Research Team is its ability to detect patterns in evolving cyberthreat techniques. This is a critical capability, as the time from when a new tactic is first detected to when it reappears can provide a key signal to how threat actors scale attacks.
This is exactly what our investigators found in their recent identification and disruption of operation Trapdoor. This multi-stage Android scheme blends malvertising and ad fraud into a single self-sustaining system, responsible for 455 malicious Android apps and 183 threat actor–owned command-and-control (C2) domains. At its peak, Trapdoor-associated traffic accounted for 659 million bid requests per day, and the apps connected to the operation were downloaded more than 24 million times.
Trapdoor is especially notable for its:
We’ll explore each below.
The Shared Cashout Layer: HTML5 Sites Behind Multiple Operations
Trapdoor gets its name from the fact that it operates like a hidden entryway by fusing malvertising as a distribution vector with ad-fraud monetization to create a pipeline in which each stage fuels the next. For now, we’re going to skip to the second stage first to show how the operation actually commits fraud.
In Trapdoor-based fraud, a secondary app launches a full-screen hidden WebView, connects to a C2 domain, and then loads HTML5 game or news domains controlled by the threat actors. The domains use pre-programmed touch gestures to simulate human interaction with ads and generate revenue. SlopAds, Low5, and BADBOX 2.0 also similarly used HTML5 domains as cashout sites for hidden WebViews and fraudulent traffic.
For ad tech and security teams, this means it’s not enough to look only at app behavior. They must also recognize and mitigate the shared cashout infrastructure that underpins several operations simultaneously.
Turning Attribution into a Control Panel for Fraud
One of the most noteworthy aspects of Trapdoor is the fact that its threat actors co-opted legitimate tools to commit fraud and evade detection.
Mobile attribution tools normally track which campaigns drive app installs, whether organic or non-organic. In Trapdoor, associated apps integrate an attribution SDK and inspect tracker_name values to see whether an install came from a threat-actor ad campaign or organic discovery. Malicious workflows such as hidden WebViews and automated ad interactions are activated only for installs tagged as ad-driven by the threat actors’ campaigns, leaving organic installs and many security researcher setups clean.
Satori researchers hadn’t previously observed the abuse of marketing attribution platforms as a determinant of ad fraud until their SlopAds investigation. Its reappearance in Trapdoor confirms that this tactic is now part of a broader pattern: threat actors are abusing the instrumentation that marketers rely on in order to hide from security and research. Fraudsters behind schemes like Trapdoor can now pollute and manipulate attribution data and campaign analytics, which complicates both fraud detection and marketing performance measurement.
When Fraud Funds Itself: Trapdoor’s Growth Loop
Trapdoor’s scale stems from its self-perpetuating, multi-stage pipeline of fraud.
In the first stage, internet users download a utility app, like a PDF reader, from the Google Play Store. This tactic helps Trapdoor threat actors avoid suspicion and appeal to a wider audience base. These apps themselves do not trigger ad fraud. What does: after installation, the utility apps launch malvertising campaigns that claim the app is out of date, with a fake “Update” button. If a user clicks on it, they unwittingly download a second malicious app that runs the hidden WebView and automated touch fraud described above.
Here’s where the self-funding nature of the operation comes in. Threat actors can steal fraudulent revenue from hidden HTML5 ad interactions and recycle it into more malvertising spend, thereby acquiring more users who install the first app, and so on. This makes Trapdoor less like a static botnet and more like a growth engine: the more it runs, the more resources it has to scale itself.
What Trapdoor Signals About the Future of Ad Fraud
By publishing new apps, cycling through domains, and layering obfuscation techniques to stay ahead of detection, the Trapdoor threat actors prove what’s possible when you’re willing to adapt to meet nefarious aims. Other recent Satori investigations indicate the emergence of an evolving family of tactics, not isolated one-offs.
HTML5 sites, as a common cashout layer across Trapdoor, SlopAds, Low5, BADBOX 2.0, and related operations, show that new cyber tactics can gain quick adoption—and scale—among a wide network of cybercriminals. The use of attribution platforms as a fraud-detection and evasion layer has yielded signals that this is another technique we might increasingly see in cyber threats. Perhaps most concerningly, the advent of large-scale, self-funding loops that let operations grow quickly once established presents potential for fraud that is difficult to catch before it spreads.
HUMAN has deployed protections across Ad Fraud Defense and Ad Click Defense to protect customers from Trapdoor’s hidden activity. For IOCs, app lists, and deeper technical details, read the full Trapdoor technical report here. If you’d like to see how these themes recur across operations, check out posts from related past investigations, including SlopAds, BADBOX 2.0, and IconAds.