Cybersecurity researchers have disclosed details of a new ad fraud and malvertising operation dubbed Trapdoor targeting Android device users.
The activity, per HUMAN’s Satori Threat Intelligence and Research Team, encompassed 455 malicious Android apps and 183 threat actor-owned command-and-control (C2) domains, turning the infrastructure into a pipeline for multi-stage fraud.
“Users unwittingly download a threat actor-owned app, often a utility-style app like a PDF viewer or device cleanup tool,” researchers Louisa Abel, Ryan Joye, João Marques, João Santos, and Adam Sell detailed in a report shared with The Hacker News.
“These apps trigger malvertising campaigns that coerce users into downloading additional threat actor-owned apps. The secondary apps launch hidden WebViews, load threat actor-owned HTML5 domains, and request ads.”
The campaign, the cybersecurity company added, is self-sustaining in that an organic app install turns into an illicit revenue generation cycle that can be used to fund follow-on malvertising campaigns. One notable aspect of the activity is the use of HTML5-based cashout sites, a pattern observed in prior threat clusters tracked as SlopAds, Low5, and BADBOX 2.0.
At the peak of the operation, Trapdoor accounted for 659 million bid requests a day, with Android apps linked to the scheme downloaded more than 24 million times. Traffic associated with the campaign primarily originated from the U.S., which took up more than three-fourths of the traffic volume.
“The threat actors behind Trapdoor also abuse install attribution tools (technology designed to help legitimate marketers track how users discover apps) to enable malicious behavior only in users acquired through threat actor-run ad campaigns, while suppressing it for organic downloads of the associated apps,” HUMAN said.
Trapdoor combines two disparate approaches, malvertising distribution and hidden ad-fraud monetization, where unsuspecting users end up downloading bogus apps masquerading as seemingly harmless utilities that act as a conduit for serving malicious ads for other Trapdoor apps, which are designed to perform automated touch fraud, as well as launch hidden WebViews, load threat actor-controlled washout domains, and request ads.
It’s worth noting that only the second-stage app is used to trigger fraud. Once the organically downloaded app is launched, it serves fake pop-up alerts that mimic app update messages to trick users into installing the next-stage app.
This behavior also indicates that the payload is activated only for those who fall victim to the advertising campaign. In other words, anybody who downloads the app directly from the Play Store or sideloads it will not be targeted. Besides this selective activation technique, Trapdoor employs various anti-analysis and obfuscation techniques to sidestep detection.
“This operation uses real, everyday software and multiple…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
