Cybersecurity researchers have uncovered a massive Android campaign called Trapdoor that combined malvertising, hidden ad fraud, and multi-level malware distribution. According to HUMAN, the scheme spanned 455 Android apps and 183 domains, and at its peak generated up to 659 million ad bid requests daily.
HUMAN Satori researchers have identified an entirely new large-scale Android-based operation named “Trapdoor”, with the combination of malicious ads, unknown ad-fraud activities (hidden), and multistage device infections. This campaign included the targeting of 455 different android applications and 183 domains as control domains and created approximately 659,000,000 daily ad-requests from its highest levels of operations.
The authors of this paper (Luisa Abel, Ryan Joy, João Marques, João Santos, and Adam Sell) report the Trapdoor scheme began via what appeared to be typical utility-apps to users who downloaded pdf-viewers, cleaners, etc. – completely unaware that they had just joined a much larger malicious scheme.
As soon as each app was installed, it began to run a malvertising campaign and forced victims to download additional android apps that had already conducted the main malicious function. The second step in the infection process generated hidden web views to open HTML5 domains owned/controlled by the attackers and caused victim’s smartphones to request advertisements.
Victim’s smartphones also acted as a tool for hiding ad-fraud and automatic touch-fraud. As stated by HUMAN, the entire mechanism is designed as a self-sustaining profit model; organic downloads of one application become an income source for running new malicious advertising campaigns.
The researchers point out that the developers behind the Trapdoor network utilized HTML5 domains to drive traffic on the campaign and to monetize it. A similar mechanism has previously been seen in previous SlopAds, Low5, and BADBOX 2.0 campaigns.
When Trapdoor reached its peak, it produced an average of around 659 million daily bid requests. In total, the apps that were linked to the Trapdoor campaign were downloaded over 24 million times. More than 75% of the total traffic was from the U.S.
Attribution tracking tools were one of the primary ways the attackers activated the malicious behavior. Legitimate installation analysis software was used by the attackers to cause malicious behavior to be triggered in users who had clicked through their advertisements.
Users who installed the application either directly from the Google Play Store or via sideloading techniques generally did not experience malicious activity. This selective triggering enabled the attackers to keep the malicious behavior undetected and to evade detection systems.
In addition to using attribution tracking tools, the attackers actively employed anti-analytical and obfuscational measures. The attackers disguised malicious components as legitimate SDKs (Software Development Kits), thereby causing the malicious code to appear as though it belonged within the normal Android environment.
HUMAN’s Vice President of Threat Intelligence Lindsay Kay stated that this campaign combined multiple avenues; i.e., delivery of malicious advertising, stealthy monetizing via ad-fraud, and multi-step delivery of malware.
Following the responsible disclosure of information regarding the campaign, Google removed all identified malicious programs from the Google Play Store. Google confirmed that they had effectively neutralized the campaign and provided additional protection to Android users via Google Play Protect. The entire listing of Android applications can be found here.
Gavin Reid HUMAN’s CISO called Trapdoor “just another example” of how legitimate marketing tools are being exploited by cyber-criminals to hide illicit activities. According to him, the attackers continue to increase the complexity of their campaigns by integrating utility applications, HTML5 domains, and selective triggering mechanisms designed to keep malicious activity hidden even from security researchers.
