New Android Malware Uses AI to Secretly Click Ads in the Background
A newly discovered strain of Android ai malware powered by artificial intelligence is raising serious concerns in the mobile security world. Unlike traditional click-fraud trojans that rely on scripted commands, this malware uses machine learning models to visually detect and interact with online advertisements, making it significantly harder to detect and block.
According to security researchers, the malware leverages TensorFlow.js, an open-source AI framework developed by Google, to carry out automated ad-clicking operations without any visible signs to the user. The discovery highlights a worrying shift in how cybercriminals are adopting AI-driven techniques to bypass modern security defenses on Android devices.
How This Android AI Malware Works
Security firm Dr.Web identified the malware while investigating suspicious activity linked to apps distributed through Xiaomi’s GetApps store, as well as third-party APK platforms and Telegram channels.
Instead of using predefined JavaScript routines or DOM-based manipulation, the malware operates through visual analysis. Once installed, it activates a hidden WebView-based browser, often referred to by researchers as operating in “phantom mode.”
In this mode:
- A web page containing advertisements is loaded invisibly
- Screenshots of the page are captured
- TensorFlow.js analyzes the images to locate clickable ad elements
- The malware simulates realistic user taps on those ads
Because the ads are visually identified rather than structurally targeted, the system remains effective even when ad layouts change, use iframes, or embed video ads—techniques that usually break traditional click-fraud malware.
Real-Time Control via “Signalling Mode”
Researchers also uncovered a second, more advanced operation method called “signalling mode.” Here, the malware uses WebRTC technology to stream a live video feed of the hidden browser session back to attackers.
This allows threat actors to:
- Manually tap and scroll in real time
- Enter text where required
- Adjust actions dynamically based on what appears on screen
In effect, infected Android phones become remote-controlled ad-fraud machines, operating silently in the background.
Where the Malware Is Spreading
The malicious trojans were primarily found in games published on Xiaomi’s GetApps platform. Notably, the apps were initially clean and later received malicious payloads through updates—a tactic designed to evade store moderation.
Some identified infected apps reportedly crossed tens of thousands of downloads before being flagged.
Beyond official app stores, the android malware is also spreading aggressively through:
- Third-party APK sites like Moddroid and Apkmody
- Modified “Pro” versions of popular apps such as Spotify, YouTube, Netflix, and Deezer
- Telegram groups and Discord servers, some with tens of thousands of subscribers
Alarmingly, researchers note that many infected apps function as advertised, lowering user suspicion and increasing infection rates.
Why This Android Malware Is Hard to Detect
From a user perspective, there are no visible warning signs. The malware:
- Runs silently in a hidden WebView
- Does not display pop-ups or ads on screen
- Does not steal personal data directly
However, infected devices may experience:
- Faster battery drain
- Increased mobile data usage
- Long-term hardware strain due to constant background activity
While click fraud may seem less severe than data theft, it remains a highly profitable cybercrime, funding broader criminal ecosystems.
How Android Users Can Stay Safe
Security experts strongly advise users to:
- Avoid downloading apps from unofficial sources
- Be cautious of “modded” or premium-unlock APKs
- Keep Google Play Protect enabled
- Monitor unusual battery or data usage
- Install updates only from trusted developers
As AI-powered threats become more common, Android security awareness is no longer optional—it’s essential.
