A sophisticated Android malware strain has emerged, harnessing machine learning to orchestrate clandestine advertising fraud through deceptive click-through generation. Identified by the forensic analysts at Dr.Web, this malicious agent masquerades as innocuous gaming applications and proliferates via GetApps—the official repository for Xiaomi devices—as well as third-party domains and Telegram channels.
The architects of this malware have integrated TensorFlow.js, an open-source framework pioneered by Google that facilitates the execution of machine learning models within browser and server environments. This integration allows the software to convincingly emulate authentic human behavior; rather than relying on conventional JavaScript scripts, the program visually scrutinizes the webpage. It captures snapshots of a virtual browser, identifies interactive advertising elements through visual recognition, and simulates “physical” clicks upon them.
According to Dr.Web’s findings, the malware operates in two distinct modalities. In the “Phantom” mode, the application utilizes a hidden, integrated WebView browser to load target pages and inject scripts that govern clicking activities—all transpiring beneath the user’s threshold of perception. Conversely, the “Signaling” mode leverages WebRTC technology to provide cybercriminals with real-time visual telemetry of the hidden browser, enabling manual intervention such as scrolling, text entry, or precise element selection.
To evade detection, the malware is initially submitted to app repositories as benign games devoid of any malicious payload. The hazardous functionalities are subsequently surreptitiously introduced via post-installation updates. Among the compromised applications identified on GetApps are:
-
Theft Auto Mafia (61,000 downloads)
-
Cute Pet House (34,000 downloads)
-
Creation Magic World (32,000 downloads)
-
Amazing Unicorn Party (13,000 downloads)
-
Open World Gangsters (11,000 downloads)
-
Sakura Dream Academy (4,000 downloads)
Beyond GetApps, malicious APKs are disseminated through portals offering modified versions of ubiquitous services like Spotify, YouTube, Deezer, and Netflix. Analysts have noted that a majority of the applications featured in the “Editor’s Choice” section of the Moddroid site are infected. Furthermore, the contagion has spread to Telegram and Discord servers, appearing as “Pro” or “Plus” iterations of popular software.
While these fraudulent schemes do not prioritize the direct exfiltration of sensitive data, they profoundly degrade the device’s operational integrity—diminishing battery longevity, accelerating hardware wear, and consuming mobile data quotas. The peril is magnified by the fact that these counterfeit applications often remain fully functional, ensuring that the infection remains unobserved by the user for an extended duration.