New Android malware uses AI and machine learning to perform hidden ad click-fraud, spreading via app stores, APK sites, and modded apps.
Security researchers have uncovered a new strain of Android malware that uses artificial intelligence and machine learning to carry out sophisticated click-fraud operations. Unlike traditional click-fraud trojans that rely on scripted commands, this emerging malware family analyzes visual elements on web pages to identify and interact with advertisements—mimicking real user behavior with greater accuracy.
The malware leverages TensorFlow.js, Google’s open-source machine learning library, allowing AI models to run directly within a browser environment. Instead of executing predefined JavaScript click routines or interacting with web pages at the DOM level, the trojan uses visual recognition to locate and tap specific ad components. This approach makes the attack more resilient against dynamic ad layouts, embedded videos, iframes, and frequently changing interfaces.
Researchers at mobile security firm Dr.Web reported that the malware is being distributed through GetApps, Xiaomi’s official app marketplace. Once installed, the trojan can operate in a so-called “phantom mode,” where it launches a concealed WebView-based browser in the background. This hidden browser loads target web pages and associated scripts, takes screenshots of the virtual screen, and feeds them into a remotely hosted AI model for analysis.
After identifying the correct user interface elements, the malware simulates legitimate actions such as taps and scrolls, effectively generating fraudulent ad interactions without raising suspicion. Because all activity occurs within a hidden virtual environment, users receive no visible indication that anything unusual is happening on their device.
In a more advanced “signalling mode,” the malware uses WebRTC technology to stream live footage of the hidden browser to attackers. This enables real-time remote control, allowing operators to manually interact with ads, scroll through pages, or enter text as needed.
The threat actors behind the campaign primarily distribute the malware through gaming apps on Xiaomi’s GetApps platform. In many cases, applications are initially published in a clean state and later receive malicious components through updates. Dr.Web identified several infected titles with tens of thousands of downloads, indicating a wide infection footprint.
Beyond official app stores, the malware is also spreading aggressively through third-party APK websites, including platforms hosting modified versions of popular apps such as Spotify, YouTube, Netflix, and Deezer. Researchers noted that a significant portion of apps promoted on certain third-party platforms were found to be compromised.
Distribution has also expanded to Telegram channels and Discord servers, with some communities hosting tens of thousands of subscribers. Notably, at least some of the infected apps function as advertised, which lowers user suspicion and increases the effectiveness of the campaign.
While click-fraud operations do not typically result in direct data theft, they remain a highly profitable cybercrime model. For affected users, the consequences include increased battery consumption, accelerated device wear, and higher mobile data usage—all occurring silently in the background.
Security experts strongly advise Android users to avoid sideloading apps and refrain from installing modified versions of popular applications that promise free premium features. Sticking to trusted app sources and monitoring app permissions remain critical steps in reducing exposure to emerging mobile threats.
Read more: Snapchat Expands Parental Controls to Offer Deeper Visibility Into Teens’ Activity
