Android Malware Uses AI to Click Hidden Ads

A concerning new breed of Android malware is employing artificial intelligence to carry out sophisticated click fraud, marking a significant evolution in mobile ad fraud tactics. This malware family uses TensorFlow machine learning models to visually identify and interact with on-screen advertisements, moving beyond traditional, easily detectable methods. By analyzing the visual layout of a webpage, the malicious software can pinpoint ad elements with high accuracy, mimicking genuine user clicks to generate illicit revenue for its operators.

The mechanism represents a major shift. Instead of relying on predefined JavaScript routines or interacting with a webpage’s Document Object Model (DOM), this trojan uses a trained AI model for visual analysis. The threat actors utilize TensorFlow.js, Google’s open-source library, to run these models directly within a hidden browser environment on the infected device. Security researchers at Dr.Web discovered this malware is being distributed through Xiaomi’s official GetApps store, hidden within seemingly legitimate applications, primarily games.

The malicious operation functions in two distinct modes. The first, dubbed ‘phantom,’ employs a concealed WebView browser to load a target webpage. It then takes screenshots, which are analyzed by the TensorFlow.js model to locate specific advertisement elements like buttons. The AI then simulates a tap on the correct area, replicating normal user behavior. This approach is highly effective against modern, dynamic ads that frequently change their structure or use iframes, making older script-based fraud ineffective.

A second, more invasive mode called ‘signalling’ uses WebRTC technology to stream a live video feed of the infected device’s virtual screen directly to the attackers. This allows them to perform manual, real-time actions such as tapping, scrolling, and entering text, providing direct control over the fraud operation.

The distribution method is particularly insidious. Malicious apps are initially submitted to app stores without any harmful code. Only after gaining approval and a user base do they receive updates that introduce the trojan functionality. Researchers identified several infected games on GetApps, including titles like Theft Auto Mafia, Cute Pet House, and Creation Magic World, which collectively had hundreds of thousands of downloads.

Beyond the official Xiaomi store, the malware is proliferating through third-party APK websites and Telegram channels. These platforms often host modified, or “modded,” versions of popular apps like Spotify, YouTube, and Netflix, which promise premium features for free. Dr.Web’s investigation found that a significant portion of the apps listed on sites like Moddroid’s “Editor’s Choice” page were infected. A dedicated Discord server with thousands of members was also found pushing a compromised app called Spotify X.

A key factor in the malware’s success is that many of these infected applications “actually work” as intended, lulling users into a false sense of security. The click fraud occurs entirely in the background within a hidden WebView on a virtual screen, meaning victims typically notice no unusual activity on their devices. The immediate consequences for the user are not data theft but increased battery drain, potential hardware degradation, and unexpected mobile data overage charges due to the constant background processing and network traffic.

While click fraud may not directly compromise personal information, it represents a highly profitable criminal enterprise that degrades the mobile experience and funds further malicious activity. The best defense for Android users is to exercise extreme caution with apps from unofficial sources, especially modified versions of popular services that offer paid features at no cost. Sticking to trusted platforms like the Google Play Store, though not infallible, significantly reduces the risk of encountering this advanced, AI-powered threat.

(Source: Bleeping Computer)