📌 What Is It?
A newly spotted family of Android malware is using artificial intelligence (AI) to perform click-fraud — i.e., automatically generating fake ad clicks to make money for attackers. Unlike older malware that used scripted rules, this one leverages machine learning to visually identify ads and interact with them, mimicking real user behavior.
🤖 How It Works
1. AI-Driven Visual Detection
Instead of using traditional JavaScript click automation that looks for ad elements in a page’s code, this malware uses TensorFlow.js — an open-source machine learning library — to visually analyze screenshots of a browser and identify ad elements. Once it finds them, it “clicks” them as if a real user tapped them on the screen. These clicks look more natural and are harder for fraud detection systems to spot or block.
2. Two Operating Modes
The malware can work in two distinct modes:
🔹 Phantom Mode
- Launches a hidden WebView browser — a browser component embedded inside the app — that runs in the background (invisible to the user).
- Loads target ad pages and a JavaScript file used for the interaction logic.
- Screenshots are taken of this hidden browser’s view, so the AI model can analyze and detect ad UI elements.
- When detections are made, it simulates tapping on the correct ad elements.
This visual recognition makes the clicks appear far more human and resilient against defenses that try to detect scripted patterns.
🔹 Signalling Mode
- Uses WebRTC (a real-time communication protocol) to stream the hidden browser’s screen to attackers.
- Allows attackers to remotely interact — tapping, scrolling, or entering text — as if they were directly controlling the device.
This means the attacker can manually perform actions on the hidden browser in real time.
📦 How the Malware Is Distributed
The malware is spread through supposedly legitimate Android apps, most often games, where malicious code is added in updates after initial publication:
- These infected games are found on Xiaomi’s official GetApps store.
- The malware has also been found in modified APKs on third-party sites like Apkmody and Moddroid, including fake premium versions of popular apps (e.g., Spotify, YouTube).
- Distribution also includes Telegram channels pushing infected APK files and even Discord servers advertising trojanized apps.
Some identified infected games (with download counts) include:
- Theft Auto Mafia — ~61,000 downloads
- Cute Pet House — ~34,000
- Creation Magic World — ~32,000
- Amazing Unicorn Party — ~13,000
- Open World Gangsters — ~11,000
- Sakura Dream Academy — ~4,000
Because many of these apps actually function normally, users are less likely to notice anything wrong, making this malware more stealthy.
⚠️ User Impact
Unlike malware that steals data or locks devices, this click-fraud malware doesn’t directly compromise personal information. However, it still affects users by:
- Increasing battery consumption because hidden browsing runs constantly.
- Using up mobile data as it loads web pages and interacts with ads.
- Causing device wear or premature system degradation from continuous background activity.
Since the activity runs hidden and doesn’t require user action, most victims won’t notice obvious symptoms.
🛡️ Security Advice
To protect yourself:
- Avoid downloading apps from sources outside Google Play.
- Be cautious about “modded” or “Pro” versions of popular apps that promise premium features for free — these are common infection vectors.
- Stick to reputable app stores and be wary of apps that receive suspicious updates soon after installation.
🧾 Summary of Key Points
✔ The malware uses AI and machine learning (TensorFlow.js) to visually detect and click ads, bypassing traditional script-based defenses.
✔ It runs ads in a hidden browser view (WebView) on infected Android devices and can be remotely controlled.
✔ Distributed via Xiaomi’s GetApps and third-party/modified APKs — often in games or “Pro” apps.
✔ Users likely won’t notice anything unusual, but may see battery drain and data usage spikes.
✔ Avoid unofficial app sources and suspicious modified apps to reduce risk.
