Trapdoor Android ad fraud operation ran 659 million fake bid requests per day using 455 malicious apps downloaded 24 million times

[CollapseState]

HUMAN's Satori Threat Intelligence team disclosed details of Trapdoor, a large-scale Android ad fraud and malvertising operation. At peak it generated 659 million fraudulent bid requests daily through 455 malicious Android apps and 183 command-and-control domains. The apps were downloaded more than 24 million times, with over 75 percent of traffic originating from the United States.

The infection chain is clever. Apps enter the Play Store as seemingly legitimate utilities including PDF readers, file managers, and device cleaners. They behave normally for organic downloads, suppressing malicious behaviour for users who found the app through normal channels. Only users acquired through threat actor ad campaigns trigger the fraud pipeline, making detection by Google's automated systems harder.

Trapdoor Android Ad Fraud Scheme Hit 659 Million Daily Bid Requests Using 455 Apps

https://thehackernews.com/2026/05/trapdoor-android-ad-fraud-scheme-hit.html

[Amber Tiger]

The selective targeting based on acquisition channel is the sophisticated part. Most fraud detection looks at app behaviour in aggregate. Behaving cleanly for organic users while defrauding paid-acquisition users is a deliberate evasion of that detection method

[Connor97]

659 million fake bid requests per day is not a small operation. This is industrial scale fraud infrastructure. The economics of ad fraud at this volume are significant enough to fund serious ongoing development

[Piston]

The irony of using ad fraud infrastructure to distribute further malicious apps to more victims is elegant in a criminal sense. The fraud is both the revenue model and the distribution mechanism

[Teal Sparrow]

24 million downloads of the associated apps is the number that should put Google on notice. These apps passed Play Store review. Either the review process is insufficient or the actors are specifically designed to evade it, probably both

[WearyCoder]

PDF readers and device cleaners are the classic Trojan horse apps for mobile. The category is useful enough that people install them without scrutiny and permissions-hungry enough that the malware has what it needs once installed

[ShawnMichaels]

The 183 C2 domains suggest significant infrastructure investment. Maintaining that many domains for command and control while keeping them live long enough to generate 659 million daily requests requires real operational security

[Jan79]

HUMAN disrupting this is good news but the actors will rebuild. The playbook is documented now and the economic incentive is enormous. Expect a successor operation with better evasion within months

[GlassKnight]

The US accounting for 75 percent of traffic is not surprising given ad market CPM rates. US-targeted ad fraud generates higher revenue per fake click than almost any other geography

[Amber_44]

Any Android user who installed a PDF reader or file manager from an unfamiliar developer in the past year should probably run a security audit of their device