For months, the apps looked ordinary enough — casual games, familiar media brands, harmless diversions downloaded by tens of thousands of Android users. But beneath their colorful interfaces, researchers say, a new generation of mobile malware was quietly turning phones into tools for industrial-scale ad fraud.
An Invisible Economy of Clicks
Clickjacking and advertising fraud rarely announce themselves to victims. Unlike data-stealing malware, they do not siphon off passwords or private messages. Instead, they consume battery life, accelerate device wear and inflate mobile data bills — subtle costs borne by users while profits flow elsewhere.
Researchers at the mobile security firm Dr.Web say the operation they uncovered is emblematic of a mature underground economy built on fraudulent advertising interactions. The malware, embedded in Android applications, covertly loads ads and simulates user engagement, generating revenue for its operators with little visible disruption. Victims typically see no warning signs, no pop-ups or error messages, only a phone that seems to run a bit hotter and drain a bit faster. That invisibility, researchers note, is precisely the point.
Certified Cyber Crime Investigator Course Launched by Centre for Police Technology
From Modded Apps to Official App Stores
The distribution channels for the infected software were unusually broad. According to Dr.Web, trojanized apps circulated through third-party APK sites such as Apkmody and Moddroid, often disguised as modified or “premium” versions of popular services like Spotify, YouTube, Deezer and Netflix. Telegram channels also played a role, pushing infected files under names like Spotify Pro and Spotify Plus.
In one case, researchers identified a Discord server with roughly 24,000 subscribers promoting an infected app known as Spotify X. Some of these apps, they found, did in fact deliver promised features, reducing suspicion and encouraging downloads.
More strikingly, the malware was also found inside games hosted on Xiaomi’s official GetApps store. In this case, researchers say, the threat actors initially submitted clean versions of the apps, only to introduce malicious components in later updates. Among the infected titles identified were casual games with download counts ranging from a few thousand to more than 60,000.
A Machine Learning Turn in Mobile Malware
At the technical core of the operation was an approach that departed from older, script-based click fraud. Rather than relying on predefined instructions to interact with ads, the malware used visual analysis driven by machine learning.
After downloading a trained model from a remote server, the malware rendered ads inside a hidden WebView placed on a virtual screen. Screenshots were then analyzed using TensorFlow.js to identify relevant interface elements. Once the correct target was detected, the malware simulated taps and gestures that closely resembled normal user behavior.
This method, researchers said, proved more resilient against modern advertising layouts, which frequently change structure and rely on dynamic elements such as iframes and video. By mimicking human interaction at the visual level, the malware avoided many of the defenses designed to detect automated fraud.
Remote Control and Real-Time Interaction
In addition to its automated mode — referred to by researchers as “phantom” — the malware also supported a second operational state called “signalling.” In this mode, attackers could stream a live video feed of the virtual browser screen using WebRTC, allowing them to manually tap, scroll and enter text in real time.
This hybrid design, combining automation with human oversight, gave operators flexibility to adapt to new ad formats or unexpected changes. Throughout the process, all activity remained hidden from the phone’s owner, occurring entirely within the virtual environment created by the malware.
Dr.Web researchers emphasized that while the operation did not directly target personal data, its scale and sophistication highlighted how far mobile ad fraud has evolved. For Android users, they warned, the safest defense remains a cautious one: avoiding apps from unofficial sources and being wary of modified versions that promise free access to paid features — even when those apps appear to work as advertised.
