Trapdoor Android Ad Fraud Scheme Hit 659 Million Daily Bid Requests Using 455 Apps

Ravie LakshmananMay 19, 2026Malvertising / Mobile Security

Cybersecurity researchers have disclosed details of a new ad fraud and malvertising operation dubbed Trapdoor targeting Android device users.

The activity, per HUMAN's Satori Threat Intelligence and Research Team, encompassed 455 malicious Android apps and 183 threat actor-owned command-and-control (C2) domains, turning the infrastructure into a pipeline for multi-stage fraud.

"Users unwittingly download a threat actor-owned app, often a utility-style app like a PDF viewer or device cleanup tool," researchers Louisa Abel, Ryan Joye, João Marques, João Santos, and Adam Sell detailed in a report shared with The Hacker News.

"These apps trigger malvertising campaigns that coerce users into downloading additional threat actor-owned apps. The secondary apps launch hidden WebViews, load threat actor-owned HTML5 domains, and request ads."

Trapdoor Android Ad Fraud Scheme Hit 659 Million Daily Bid Requests Using 455 Apps

Other newsrooms on this story

Related reading

Fake Android Apps Commit Carrier Billing Fraud for Premium Svcs.

New TrickMo Variant Uses TON C2 and SOCKS5 to Create Android Network Pivots

CTM360 Exposes Global GovTrap Campaign With 11,000+ Fake Government Portals…

Massive AI investment scam network spans 15,500 domains

300 dollari al mese per controllare qualsiasi Android: il nuovo spauracchio si…

È arrivato Crocodilus: come funziona la nuova truffa su Android