HUMAN’s Satori Threat Intelligence team has disclosed “Trapdoor,” an Android ad fraud operation spanning 455 malicious apps that generated 659 million fraudulent advertising bid requests per day at peak activity, with the apps collectively recording more than 24 million downloads before Google removed them from the Play Store following responsible disclosure.
How the Trapdoor Two-Stage App Pipeline Operated
Trapdoor ran through a two-stage application delivery chain. Users downloaded what appeared to be utility apps — PDF viewers, phone cleanup tools, and similar productivity applications — from the Google Play Store. After installation, these first-stage apps displayed fake system update pop-ups designed to coerce users into installing second-stage applications. The second-stage apps launched hidden web views that automated fraudulent ad impressions and user interactions with no visible activity on the device screen.
The scheme ran entirely in the background. The 659 million daily fraudulent bid requests were generated at peak scale across 455 apps running simultaneously, consuming device resources and defrauding advertising networks while users remained unaware of any background activity.
The Install-Attribution Bypass That Evaded Play Store Review
The most technically notable element of Trapdoor is how it evaded detection during security review. Attackers exploited legitimate install-attribution marketing technology — the systems advertisers use to track which campaigns drove app installs — to activate the malicious ad fraud behavior exclusively for users acquired through the Trapdoor distribution campaign. The behavior was entirely suppressed for users who installed apps organically. Apps submitted to Play Store security review are typically installed through organic or test-account pathways, not through the campaign’s attribution channel, which meant the malicious behavior was invisible during standard review processes.
Infrastructure: 183 Command-and-Control Domains and U.S.-Concentrated Traffic
The Trapdoor operation was backed by 183 threat-actor-controlled command-and-control domains managing communication with compromised devices. More than 75% of the fraudulent bid traffic originated from U.S. users, making U.S.-based advertisers and advertising networks the primary financial victims of the scheme.
What 659 Million Fraudulent Bids Per Day Cost Advertisers
Programmatic advertising operates through real-time bidding auctions where advertisers pay for placements based on the assumption that a real user will see the advertisement. Fraudulent bid injection inserts fabricated inventory into those auctions — advertisers pay for impressions that no human ever sees. At 659 million fraudulent bid requests per day across 455 apps, Trapdoor directly drained advertiser budgets across the ad networks and exchanges processing the injected bids.
The primary financial victims are brands and advertisers paying for campaign reach that was never delivered to real users, along with ad networks whose measurement and attribution data was contaminated by the artificial traffic. Trapdoor represents one of the larger mobile ad fraud operations disclosed in 2026 by volume of fraudulent daily bid activity.
Google’s Removal and Residual Risk to Users Who Already Installed
Following responsible disclosure by HUMAN, Google removed all 455 identified malicious apps from the Play Store, severing the campaign’s primary distribution channel. Users who had installed any of the 455 apps before removal remain exposed until they manually uninstall those applications from their devices. The 24 million total download figure represents the scale of the potential residual installation base still active on user devices after the Play Store listings were taken down.
