Researchers at HUMAN’s threat intelligence team have dismantled a large-scale Android fraud operation called Trapdoor. At its peak, the scheme hid inside 455 apps downloaded more than 24 million times — mostly in the United States — and was quietly generating 659 million fake advertising clicks every single day. The apps looked like ordinary utility tools such as PDF viewers and device-cleanup apps. Once installed, they displayed fake “system update” pop-ups that tricked users into installing a second hidden app, which then ran an invisible browser in the background to rack up fraudulent ad revenue.
The people whose phones were recruited into this scheme never saw anything unusual — just a slightly warmer phone, a shorter battery life, and extra data usage they couldn’t explain. No passwords or personal information were stolen, but the constant background activity degraded device performance. Google has now removed all 455 apps from the Play Store and disabled them on devices where Google Play Protect is active.
How to check if you’re affected
Affected devices are Android phones or tablets that had any of the 455 fraudulent apps installed. Because the apps mimicked utility tools, they are easy to overlook. To clean up:
- Open the Google Play Store, tap your profile picture, and select Play Protect → Scan. Play Protect will flag and offer to remove any remaining harmful apps.
- Review your installed apps for PDF tools, battery optimizers, or device-cleaner apps you don’t remember installing — uninstall anything unfamiliar.
- If your battery life or data usage returns to normal after cleaning, your phone was likely affected.