**Machine Learning-Powered Android Trojans Bypass Script-Based Ad Click Detection**

A new wave of sophisticated Android click-fraud trojans has emerged, using machine learning (ML) to visually detect and tap ads, evading traditional script-based methods. Researchers at Dr.Web, a leading cybersecurity firm, have discovered this alarming trend, which threatens the security of millions of Android users worldwide.

The malware family in question, dubbed "Android.Phantom," utilizes TensorFlow.js ML models to analyze screenshots and mimic real user behavior. This allows it to navigate through dynamic ads more effectively than traditional script-based methods. The malicious code is distributed via Xiaomi's GetApps platform and operates in a hidden "phantom" WebView, loading models remotely.

Once activated, the Trojan runs in two modes: "phantom" and "signaling." In phantom mode, it loads a target site and a JavaScript file containing ad-automation logic and TensorFlow.js. A trained ML model is then downloaded from a remote server, which analyzes screenshots of the virtual screen to detect ad elements. These detected ads are automatically clicked by the Trojan.

In signaling mode, Android.Phantom uses WebRTC (Web Real-Time Communication) to stream live video of the virtual browser to attackers. The attackers can remotely control it by clicking, scrolling, or entering text, allowing them to navigate through apps with ease. This capability turns devices into bots for DDoS attacks and enables other malicious activities, such as draining battery life and data, leaking personal information via spyware modules, and engaging in illegal activity.

The researchers at Dr.Web have identified several popular mobile games from a single developer, SHENZHEN RUIREN NETWORK CO., LTD., that initially seemed clean but later updated with the Android.Phantom.2.origin Trojan. The malware is embedded within these games, running alongside them without any indication of malicious activity.

Alarmingly, many "Editor's Choice" apps on Moddroid are infected, and users can download modified Spotify, YouTube, Deezer, and Netflix apps from third-party APK sites like Moddroid and Apkmody. Malicious APKs also circulate on Telegram channels and a Discord server with 24,000 users promoting an infected Spotify X app.

Dr.Web's research highlights the risk posed by these trojans to users worldwide, particularly those without updated antivirus protection. Children and individuals seeking unofficial app access are especially vulnerable, as they often lack the technical expertise to identify malicious activity.

The researchers conclude that users should exercise caution when downloading mods or apps from untrusted websites and channels. Verifying the sources of these downloads typically requires time, experience, and a keen eye for potential red flags.

To stay informed about the latest cybersecurity threats and trends, follow me on Twitter: @securityaffairs and Facebook and Mastodon for updates and analysis on emerging security concerns.