Self-sustaining fraud cycle drove 24 million downloads of malicious Android apps, connecting to threat actor–controlled HTML5 domains to fuel large-scale ad fraud
NEW YORK, NY — May 19, 2026 — HUMAN Security, Inc., the trust layer for digital customer experiences in the agentic era, today announced that its Satori Threat Intelligence and Research Team has identified and disrupted a fast-growing ad fraud and malvertising operation dubbed Trapdoor.
The scheme gets its name because it functions like a hidden entryway to other areas—in this case, by fusing malvertising distribution with hidden ad-fraud monetization to create a pipeline in which each stage fuels the next. In this way, Trapdoor is essentially a self-sustaining cycle and multi-stage pipeline of fraud, encompassing 455 malicious Android apps and 183 threat-actor-owned HTML5 domains. Malicious apps triggered malvertising campaigns that use marketing attribution software to determine whether to download additional malicious apps, which then perform ad fraud using extensive obfuscation and anti-analysis techniques. Google removed all of the identified malicious apps from Google Play and Google Play Protect automatically safeguards users from apps known to conduct Trapdoor associated behavior. At its peak, Trapdoor accounted for 480 million bid requests a day, with associated apps downloaded more than 24 million times.
“Trapdoor shows how determined fraudsters turn everyday app installs into a self-funding pipeline for malvertising and ad fraud,” said Gavin Reid, CISO at HUMAN. “This is another instance of threat actors co-opting legitimate tools—such as attribution software—to aid in their fraud campaigns and help them evade detection. By chaining together utility apps, HTML5 cashout domains, and selective activation techniques that hide from researchers, these actors are constantly evolving, and our Satori team is committed to tracking and disrupting them at scale.”
The Trapdoor operation involves these steps:
The use of HTML5 cashout domains as the monetization layer connects Trapdoor to a broader pattern observed by Satori researchers: the SlopAds, Low5, and BADBOX 2.0 operations all used HTML5 game and news domains as cashout mechanisms. Trapdoor also involves abuse of marketing attribution tools, similar to the SlopAds investigation.
“Trapdoor is a reminder that threats to the digital advertising ecosystem do not neatly fall into single categories,” said Lindsay Kaye, Vice President of Threat Intelligence at HUMAN. “This operation uses real, everyday software and multiple obfuscation and anti-analysis techniques—such as impersonating legitimate SDKs to blend in—to help fuse malvertising distribution, hidden ad fraud monetization, and multi-stage malware distribution. HUMAN will continue to monitor these emerging cyber threat tactics.”
Researchers have shared the full list of Trapdoor-associated apps and domains with Google, and customers partnering with HUMAN for Ad Fraud Defense and Ad Click Defense remain protected from Trapdoor. Satori researchers will continue monitoring the threat actors for new adaptations.
About HUMAN
HUMAN Security is the global leader in Agentic Trust, the emerging discipline that informs and governs how humans, bots, and AI agents operate online. For more than a decade, HUMAN has specialized in understanding and mitigating automated traffic risk at internet scale, protecting the world’s largest brands, advertising platforms, and commerce networks. Today, HUMAN helps enterprises, platforms, and digital ecosystems verify digital interactions and establish trust across the entire customer journey – from first ad impression to final transaction. Powered by one of the world’s largest behavioral signal networks, HUMAN analyzes over a quadrillion digital interactions each year to distinguish legitimate activity from fraud, abuse, and automated manipulation.
HUMAN delivers a unified trust layer for the agentic era — bridging security, marketing, and media with shared visibility, governance, and confidence in a world where humans and AI agents operate side by side.