Deconstructing Trapdoor: Anatomy of a 659M Request Botnet
Just finished reading the HUMAN Satori report on the 'Trapdoor' operation. It’s absolutely wild—659 million daily bid requests originating from 455 distinct malicious apps. It’s not just simple ad fraud anymore; it’s a fully realized infrastructure abusing Android devices as proxies for malvertising.
What stands out to me is the resilience of their C2 setup. With 183 threat actor-owned domains, takedowns are going to be a game of whack-a-mole. The report mentions these apps were turning devices into a pipeline for "multi-stage fraud," which suggests they aren't just clicking ads but likely interacting with the bidding supply chain directly.
For those of you handling BYOD or mobile fleets, I recommend checking for unusually high data usage or background processes on non-essential apps. If you have rooted devices or a testing environment, you can spot suspicious background network activity using ADB.
Here’s a quick snippet to dump active TCP connections and look for high-frequency connections to unknown IPs:
# Check established connections and count packets per foreign address
adb shell cat /proc/net/tcp | awk '{print $3}' | sort | uniq -c | sort -nr | head -20
You're looking for connections that persist even when the user isn't actively interacting with the screen. The lack of UI interaction coupled with heavy traffic is the signature here.
How is everyone else approaching mobile telemetry for this kind of fraud? Are you relying on network egress monitoring, or does anyone have luck with on-device EDR catching this?
We actually caught a precursor to this behavior last month using Microsoft Defender for Endpoint. The spike in DeviceNetworkEvents was the giveaway. We built a KQL rule to flag devices connecting to more than 50 distinct ad-domain endpoints within a 5-minute window.
It filters out known legitimate ad vendors and focuses on the 'long tail' of domains, which usually catches these low-reputation C2s. If you're an M365 shop, I highly recommend checking the NetworkCommunication schema rather than relying solely on firewall logs, as the app-level context is crucial for identifying which 455 apps are the culprits.
I'd add that static analysis is your friend here before deployment. We've been integrating MobSF into our CI pipeline for internal apps, but it’s useful for vetting third-party stuff too.
Look for heavy usage of reflection and obfuscation libraries in the DEX file. These fraudsters almost always pack their code to bypass static analysis scanners. If you see an app requesting INTERNET and ACCESS_BACKGROUND_SERVICE permissions but lacks a clear UI need for them, treat it as hostile until proven otherwise.
The proxy functionality turns this into a network-layer nightmare, not just an endpoint issue. We’ve started enforcing stricter TLS fingerprinting (JA3) on our firewalls to distinguish these SDKs from genuine mobile browsers.
Also, don't underestimate the value of RPZs for DNS. Sinkholing those specific C2 domains prevents the callbacks immediately, buying you time for device remediation.
Managing 183+ evolving domains manually is a losing battle. We’ve automated our response by scripting the ingestion of IOCs directly into our DNS sinkhole. It saves hours of triage. Here’s a Python snippet we use to parse new reports and push updates to our filtering appliance, ensuring we stay ahead of the whack-a-mole game.
import requests
def update_sinkhole(domains):
api_url = "https://your-filtering-api/api/v1/blocklist"
payload = {"domains": domains, "source": "Trapdoor_Report"}
response = requests.post(api_url, =payload)
return response.status_code
# Example usage
trapdoor_domains = ["malicious1.com", "malicious2.net"]
update_sinkhole(trapdoor_domains)
Since this is fundamentally a proxy operation, checking for egress traffic patterns is vital. We've deployed Zeek scripts to flag HTTP requests with suspiciously consistent timing or missing Referer headers, which often betrays automated SDK traffic versus human browsing.
zeek event http_request(c: connection, method: string, original_URI: string, ...) { if ( method == "POST" && c$http$referer == "" && !is_private_addr(c$id$orig_h) ) print fmt("Suspicious Proxy Traffic from %s", c$id$orig_h); }
This heuristic catches the activity even when they rotate the 183 domains.
Verified Access Required
To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.
Request Access