Trapdoor Android Ad Fraud: 659M Daily Bids and 183 C2 Domains
Has anyone dug into the HUMAN report on the "Trapdoor" ad fraud operation yet? The scale is wild—659 million bid requests daily originating from just 455 apps.
From an infrastructure standpoint, the use of 183 C2 domains to obfuscate the traffic suggests they're rotating infrastructure to bypass simple IP blacklists. The malware appears to masquerade as legitimate utilities while running background services to simulate ad interactions.
Since these apps often avoid official store checks initially, network anomaly detection is key. Here's a query I'm testing to flag devices with abnormally high outbound connection counts to ad-related ports, which might indicate automated bidding scripts:
DeviceNetworkEvents
| where RemotePort in (80, 443)
| where InitiatingProcessVersionInfoOriginalFileName !in ("chrome.exe", "edge.exe", "safari.exe")
| summarize TotalConnections = count() by DeviceId, InitiatingProcessFileName
| where TotalConnections > 1000
| project DeviceId, Process=InitiatingProcessFileName, TotalConnections
I'm curious if anyone has seen indicators of compromise (IOCs) matching these 183 domains in their perimeter logs yet? How are you handling false positives for aggressive adware vs. actual fraud like this?
Solid query. To reduce noise, you might want to explicitly filter out known ad-tech domains before aggregating counts. We encountered a similar scheme last quarter; the biggest red flag wasn't just the traffic volume, but the battery drain reports from users. If you have an EDR that monitors battery usage by process, cross-reference that with your high-network processes.
This reinforces why we strictly disable 'Unknown Sources' and block third-party app stores via MDM policy. While Play Protect isn't perfect, allowing sideloading invites this kind of 'drainware' into the environment. It's not just about data theft anymore; it's about resource theft and device availability.
I've been looking at the static analysis side. Many of these 455 apps use heavy obfuscation and native code (JNI) to hide the bidding logic. If you're analyzing APKs, check for permissions that don't match the app's stated function (e.g., a calculator requesting GET_ACCOUNTS).
Verified Access Required
To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.
Request Access