New Android malware uses AI to commit ad fraud, bypassing traditional security defenses

New Android malware uses AI to click on hidden browser ads

A new family of Android click-fraud trojans leverages TensorFlow machine learning models to automatically detect and interact with specific advertisement elements. The mechanism relies on visual analysis based on machine learning instead of predefined JavaScript click routines, and does not involve script-based DOM-level interaction like classic click-fraud trojans. The threat actor is using TensorFlow.js, an open-source library developed by Google for training and deploying machine learning models in JavaScript. It permits running AI models in browsers or on servers using Node.js. Researchers at mobile security company Dr.Web found that the new family of Android trojans is distributed through GetApps, the official app store for Xiaomi devices. They discovered that the malware can operate in a mode called 'phantom', which uses a hidden WebView-based embedded browser to load a target page for click-fraud and a JavaScript file. The script's purpose is to automate actions on the ads shown on the loaded site. After loading the trained model from a remote server, the hidden browser is placed on a virtual screen, and screenshots are taken for TensorFlow.js to analyze and identify relevant elements. By tapping on the correct UI element, the malware reproduces normal activity from a user. This method is more effective and resilient against modern ad variability, as most of these ads are dynamic, frequently change structure, and often use iframes or video. A second mode, called 'signalling', uses WebRTC to stream a live video feed of the virtual browser screen to the attackers, allowing them to perform real-time actions like tapping, scrolling, and entering text. The threat actor distributes the malware in games on Xiaomi's GetApps software catalogue. Initially, the apps are submitted without malicious functionality and receive the malicious components in subsequent updates. Some of the infected games identified by Doctor Web are: * Theft Auto Mafia -- 61,000 downloads * Cute Pet House -- 34,000 downloads * Creation Magic World -- 32,000 downloads * Amazing Unicorn Party -- 13,000 downloads * Open World Gangsters -- 11,000 downloads * Sakura Dream Academy -- 4,000 downloads In addition to the Xiaomi-hosted apps, the trojans are distributed via third-party APK sites (e.g., Apkmody and Moddroid, altered versions, the so-called mods, of the original Spotify, YouTube, Deezer, and Netflix apps. The researchers say that most apps on Moddroid's "Editor's Choice" page are infected. Infected APK files are also distributed through Telegram channels, some app examples including Spotify Pro, Spotify Plus - Official, Moddroid.com, and Apkmody Chat. Dr.Web also found a Discord server with 24,000 subscribers pushing an infected app called Spotify X. The researchers note that at least some of these apps "actually work," which reduces users' suspicion. Combined with the fact that click fraud is executed covertly in a hidden WebView rendering content on a virtual screen, this means that the victims will see no indication of the malicious activity. Although clickjacking and ad fraud aren't immediate threats to the user's privacy and data, they are a lucrative cybercriminal activity. The direct impact on the user is battery drainage and premature degradation, and increased mobile data charges. Android users are advised to avoid installing apps outside Google Play, especially alternative versions for popular apps that promise extra features or free access to premium subscriptions.

Beware: New Android malware uses AI to sneakily commit ad fraud on your phone

The malware is found on certain games distributed through inappropriate app stores, but some have also been found in Xiaomi's GetApps app store. AI is designed to make our lives easier, but it's also adept at making them more difficult. AI-powered tools are becoming increasingly popular among hackers, who can now launch sophisticated attacks that stray from established patterns. One such malware has been detected in a few Android games, and it can be used to commit fraud or attack others through your device. Researchers at Dr. Web (via Bleeping Computer) have identified a class of trojanware that uses AI to click on ads. According to the researchers, the so-called "clickjacking" malware uses Google's open-source TensorFlow.js library to run machine learning models to interact with ads inside certain apps or games. Ads are common in free-to-play casual Android games, and some developers may resort to using trojanware to artificially inflate click-through rates, thereby increasing the revenue they generate from these ads. The malware uses machine learning models to analyze the page content when the ad appears and interact with it without any user action. Machine learning is especially useful for overcoming challenges posed by dynamic, varied ads embedded in apps or games. It can also operate in a "phantom" mode to load a hidden browser window to interact with ads automatically. When the machine learning models fail, colluding developers or other bad actors can take over the user's screen and perform actions like scrolling or tapping manually using a technique called "signaling." Dr. Web has identified that several of these games laced with the trojanware are being circulated using Xiaomi's GetApps alternative app store. All of these are also attributed to a single developer named Shenzhen Ruiren Network Co. Ltd. In addition to Xiaomi's app store, these games are also being circulated through rogue APK distribution platforms, such as Apkmody and Moddroid, as well as through Telegram channels that claim to offer modded versions of apps like Spotify and Netflix. Researchers add that while clickjacking, or ad fraud, does not immediately harm the users, this malware, especially with its ability to hijack a user's device remotely, can be used for data theft or even as a means to target other users with infected APKs or more sophisticated

Watch out - this devious new Android malware clicks on hidden browser ads to put you at risk

* Android trojans use TensorFlow AI to mimic human ad clicks for fraud * Fake apps on GetApps and other platforms spread malware with hidden browsers * At least six apps found, totaling over 155,000 downloads Cybercriminals have apparently found a way to use Artificial Intelligence (AI) for ad fraud, tricking traditional behavior-based defenses and successfully scamming ad networks and advertisers out of their money. Ad networks and advertisers earn money, among other things, when people click on ads. Since the inception of online ads, criminals were looking for ways to automate the clicks, in order to generate large numbers of ad views and through that, get paid. Since the fake clicks can only be programmed and automated, ad networks turned to behavioral analytics for defense. When the clicks happen too fast, not random enough, or similar, they are dismissed as fake. On some websites, ads would appear in different places, dynamically, preventing automated clicks. Fake apps to power the fraud Now, newly discovered Android trojans are using TensorFlow machine learning models to detect and click on ads in ways that mimic human behavior better. Instead of predefined JavaScript routines, the new mechanisms rely solely on visual analysis, powered by machine learning. By using TensorFlow.js, an open-source library for training and deploying machine learning models in JavaScript, crooks are able to run AI models in browsers, or on servers using Node.js. To get the malware to the victims' Android devices, the criminals created numerous fake apps, and managed to place them on GetApps, Xiaomi's official app repository. Researchers have also found these apps on numerous standalone websites, social media platforms, and instant messaging channels such as Telegram. The apps operate a mode called 'phantom' which uses a hidden embedded browser in which the ads are loaded. The browser is placed on a virtual screen; screenshots are shared with TensorFlow to analyze and identify where the ads are. As a result, the tapping on UI elements feels more natural, tricking traditional behavior-based defenses. It was also said that the malware can live stream the virtual browser screen directly to the attackers, granting them unabated access to tap, scroll, and enter commands. So far, at least six apps were found, cumulatively having more than 155,000 downloads. Via BleepingComputer Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button! And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

This Android Malware Uses AI to Secretly Perform Ad Fraud on Your Phone

Hidden browser mode lets malware run ad fraud in the background Android users are being warned about a new and more advanced form of mobile malware that quietly uses machine learning technology to generate ad clicks in the background. Unlike earlier threats that relied on predictable scripts, this malware adapts to different ad formats and operates in a hidden mode, making detection harder. Security researchers say the threat was detected in apps on an OEM's app store, as well as websites that host APKs for third-party Android apps. Security Researchers Warn of AI-Based Android Malware Targeting Ad Networks According to a Dr. Web report, security researchers have uncovered a new Android malware strain that uses an open-source machine learning library from Google to secretly generate ad clicks, highlighting the increasing sophistication of mobile threats. Unlike traditional ad fraud tools that rely on fixed scripts, this malware uses Google's TensorFlow.js library to analyse visual elements on the screen. When an advertisement appears inside an app or game, it identifies clickable areas and interacts with them automatically. This lets the malware adapt to changing ad formats, layouts, and placements, including dynamically embedded ads. The report adds that the malware can operate in a hidden "phantom" mode, where it launches a hidden WebView where ads are loaded and receive clicks entirely in the background. This inflates the click-through rates without any visible signs on the device. As a result, users may only notice indirect effects such as increased battery drain, higher data usage, or slower performance. If automated interactions fail, the malware can switch to a signalling mode that allows attackers to manually control actions like scrolling and tapping using a WebRTC-based signalling mode, according to the researchers. The report claimed that the malware is mainly spread through casual Android games. Several infected apps were found on Xiaomi's GetApps store, often after being updated with malicious components following initial approval. Infected apps have also circulated on third-party APK platforms such as Apkmody and Moddroid, as well as Telegram channels that distribute modified versions of popular apps. To reduce the risk of malware, users are advised to avoid installing apps from unofficial sources, review recently downloaded games, enable Google Play Protect, and regularly audit app permissions. Keeping devices updated and running security scans can also help limit exposure to AI-driven mobile threats.