"Users unwittingly download a threat actor-owned app, often a utility-style app like a PDF viewer or device cleanup tool, researchers Louisa Abel, Ryan Joye, Joã£o Marques, Joã£o Santos, and Adam Sell detailed in a report shared with The Hacker News. These apps trigger malvertising campaigns that coerce users into downloading additional threat actor-owned apps. The secondary apps launch hidden WebViews, load threat actor-owned HTML5 domains, and request ads."
"The campaign, the cybersecurity company added, is self-sustaining in that an organic app install turns into an illicit revenue generation cycle that can be used to fund follow-on malvertising campaigns. One notable aspect of the activity is the use of HTML5-based cashout sites, a pattern observed in prior threat clusters tracked as SlopAds, Low5, and BADBOX 2.0."
"At the peak of the operation, Trapdoor accounted for 659 million bid requests a day, with Android apps linked to the scheme downloaded more than 24 million times. Traffic associated with the campaign primarily originated from the U.S., which took up more than three-fourths of the traffic volume."
"The threat actors behind Trapdoor also abuse install attribution tools (technology designed to help legitimate marketers track how users discover apps) to enable malicious behavior only in users acquired through threat actor-run ad campaigns, while suppressing it for organic downloads of the associated apps."
Trapdoor targets Android users through an ad fraud and malvertising operation involving 455 malicious apps and 183 threat actor-controlled command-and-control domains. Users download seemingly legitimate utility apps such as PDF viewers or device cleanup tools, which then trigger malvertising campaigns that push additional threat actor-owned apps. The secondary apps use hidden WebViews to load threat actor-controlled HTML5 domains and request ads. The revenue cycle is self-sustaining because organic installs can be converted into illicit ad monetization that funds further malvertising. The operation reached peak scale with 659 million bid requests per day and more than 24 million app downloads, with most traffic originating in the U.S. Install attribution tools are abused to activate malicious behavior only for users acquired via threat actor-run ad campaigns while suppressing it for organic installs.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]