Researchers found in a technical analysis by Doctor Web that a new family of Android click-fraud trojans uses TensorFlow.js models to detect and interact with hidden browser ads, with some infected apps showing tens of thousands of downloads.
KEY FACTS
- Incident Android trojans use machine learning to analyze screenshots and automate ad clicks
- Distribution delivered through Xiaomi GetApps and third-party APK sites plus Telegram and Discord
- Modes “phantom” hidden WebView for automated clicks and “signalling” WebRTC for remote control
- Sample reach some infected games recorded tens of thousands of downloads, one at 61,000
The threat actor placed malicious components into games hosted on Xiaomi’s GetApps catalogue after initial clean submissions. Apps received the malicious components in subsequent updates and continued to appear functional to users.
In phantom mode a hidden WebView loads a target page and a JavaScript file. The malware downloads a trained TensorFlow.js model, renders the page on a virtual screen, takes screenshots, and uses visual analysis to identify and tap relevant UI elements.
Signalling mode streams the virtual browser display to attackers over WebRTC, enabling real-time actions such as tapping, scrolling, and entering text. The visual approach avoids DOM script clicks and is resilient against dynamic ads, iframes, and video.
The trojans were also distributed via altered APKs on sites like Apkmody and Moddroid and through Telegram channels and a Discord server. Many infected apps continued to function, reducing user suspicion. Direct user effects include battery drain and higher mobile data charges. Users should avoid installing apps outside Google Play.
WHY IT MATTERS
The technique enables covert ad fraud that generates revenue for attackers while leaving little visible sign on devices. That raises the risk of large scale ad fraud and shifts costs to users and advertisers.