45/69 Friday, January 23, 2026
Researchers from Dr.Web have discovered a new strain of Android malware that elevates traditional attack techniques by leveraging machine learning, specifically through the TensorFlow.js library, to conduct ad click-fraud. The malware spreads through Xiaomi’s GetApps app store, as well as via APK files from third-party sources, including modded app websites and messaging platforms such as Telegram and Discord. Notably, the apps are initially published without malicious functionality and only receive the harmful code in subsequent updates.
The malware features a “phantom” mode, which uses a hidden WebView to load target webpages on a virtual screen. It then captures screenshots and uses an AI model to analyze the layout, identify ad elements, and simulate taps or clicks that closely mimic real user behavior. This approach differs from traditional click-fraud trojans that rely on DOM-based scripting, allowing the malware to better handle dynamic ads, iframes, and video advertisements that frequently change or use complex structures. Researchers also observed a “signalling” mode that leverages WebRTC to stream the virtual browser’s screen back to the attacker, enabling real-time remote actions such as tapping, scrolling, or text input.
While the primary goal of this threat is to generate fraudulent advertising revenue, it can significantly impact users by causing rapid battery drain, high CPU usage, and unexpected data consumption. Users are advised to avoid installing apps from untrusted sources-especially APK files or modified apps claiming to unlock premium features for free-verify the credibility of download sources before installation, and use reputable mobile anti-malware solutions to reduce the risk of infection.
