Cybersecurity researchers have revealed details of a new ad fraud and malware operation dubbed deck door Targeting Android device users.
According to HUMAN’s Satori Threat Intelligence and Research team, this activity involved 455 malicious Android apps and 183 threat actor-owned command-and-control (C2) domains, which turned the infrastructure into a pipeline for multi-stage fraud.
“Users unknowingly download a threat actor-owned app, which is often a utility-style app like a PDF viewer or device cleanup tool,” researchers Luisa Abel, Ryan Joy, Joao Marques, Joao Santos, and Adam Sale detailed in a report shared with The Hacker News.
“These apps run malicious campaigns that force users to download additional threat actor-owned apps. Secondary apps launch hidden webviews, load threat actor-owned HTML5 domains, and request advertisements.”
The cybersecurity company said the campaign is self-sustaining in the sense that an organic app install turns into an illicit revenue generation cycle that can be used to finance follow-on malware campaigns. One notable aspect of the activity is the use of HTML5-based cashout sites, a pattern observed in previously tracked threat groups such as SlopAds, Low5, and BADBOX 2.0.
At the peak of operation, Trapdoor had 659 million bid requests per day, with Android apps associated with the scheme being downloaded more than 24 million times. Traffic associated with the campaign originated primarily from the US, which accounted for more than three-quarters of the traffic volume.
“The threat actors behind the trapdoor simply abuse the attribution tool (a technology designed to help legitimate marketers track how users search for apps) to enable malicious behavior in users obtained through ad campaigns run by the threat actor, while suppressing it for organic downloads of related apps,” Human said.
Trapdoors combine two different approaches, malicious distribution and hidden ad-fraud monetization, where unsuspecting users download fake apps masquerading as harmless utilities that act as a medium for other trapdoor apps to serve malicious ads, performing automated touch fraud as well as launching hidden webviews, loading threat actor-controlled washout domains, and ads. Are designed to request.
It is worth noting that only the second-stage apps are used to trigger the fraud. Once the organically downloaded app is launched, it serves fake pop-up alerts that mimic app update messages to trick users into installing the next step of the app.
This behavior also indicates that the payload is only active for those who fall victim to the ad campaign. In other words, anyone who downloads the app directly from the Play Store or sideloads it will not be targeted. In addition to this selective activation technique, Trapdoor uses various anti-analysis and obfuscation techniques to avoid detection.
“This operation uses real, everyday software and multiple obfuscation and anti-obfuscation techniques – such as impersonating legitimate SDKs to blend in – to help fuse malware distribution, hidden ad fraud monetization and multi-stage malware distribution,” said Lindsey Kaye, vice president of threat intelligence at Human.
Following the responsible disclosure, Google has taken steps to remove all identified malicious apps from the Google Play Store, effectively neutralizing the operation. The complete list of Android apps is available here.
“Trapdoor shows how fraudsters turn everyday app installs into a self-funding pipeline for malware and ad fraud,” said Gavin Reid, chief information security officer at Human. “This is another example of threat actors co-opting legitimate tools – such as attribution software – to aid their fraudulent campaigns and help them avoid detection.”
“By combining utility apps, HTML5 cashout domains, and selective activation techniques hidden from researchers, these actors are constantly evolving, and our Satori team is committed to tracking and disrupting them at scale.”
