Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
FortiBleed Vulnerability Exploited by INC and Lynx Ransomware to Steal Passwords
July 2, 2026
WhatsApp Username Reservations Raise Security Concerns for 2 Billion Users
July 2, 2026
Alleged Scattered Spider Member Extradited to US for 100+ Network Hacks
July 2, 2026
Home/Threats/New AI-Android Malware that Auto Clicks Ads from the Infected Devices
Threats

New AI-Android Malware that Auto Clicks Ads from the Infected Devices

A dangerous new Android malware campaign has surfaced, specifically targeting users through compromised mobile games and modified pirated streaming applications. The threat, known as Android.Phantom,...

Jennifer sherman
Jennifer sherman
January 22, 2026 2 Min Read
32 0

A dangerous new Android malware campaign has surfaced, specifically targeting users through compromised mobile games and modified pirated streaming applications.

The threat, known as Android.Phantom, employs machine learning technology to perform automated ad-click fraud on infected smartphones.

Over 155,000 downloads of compromised games have been recorded, with additional infections spreading through modified versions of Spotify, YouTube, Netflix, and Deezer across unofficial platforms.

Spotify Plus website (Source - Dr.Web)
Spotify Plus website (Source – Dr.Web)

The malware propagates through several channels, including the official GetApps store for Xiaomi devices, where six infected games from developer SHENZHEN RUIREN NETWORK CO., LTD. were discovered.

These apps initially launched without malicious code, but updates released in late September introduced the Android.Phantom trojan.

GetApps distributing Trojans (Source - Dr.Web)
GetApps distributing Trojans (Source – Dr.Web)

Distribution extends beyond official stores to dedicated modding websites, Telegram channels attracting tens of thousands of subscribers, and Discord servers where administrators actively promote infected downloads.

Dr.Web researchers noted that Android.Phantom operates using two distinct modes called phantom and signaling. The malware connects to attacker-controlled command servers that dictate its behavior patterns.

Its sophisticated design incorporates TensorFlowJS, a machine learning framework that enables intelligent identification and automated clicking of advertising elements displayed within hidden browsers running on infected devices.

The threat consists of multiple interconnected components. Android.Phantom.2.origin serves as the primary variant, later enhanced by Android.Phantom.5, which functions as a dropper delivering remote code loaders.

These loaders retrieve additional click-fraud modules designed for specific advertising platforms.

How the Machine Learning Attack Works

The phantom mode represents the malware’s most advanced capability, utilizing artificial intelligence for fraudulent ad interactions.

Android.Phantom.2.origin deploys a hidden browser based on WebView widget technology, loading target websites as directed by command servers.

Spotify X with approximately 24,000 subscribers (Source - Dr.Web)
Spotify X with approximately 24,000 subscribers (Source – Dr.Web)

The malware then injects JavaScript automation scripts alongside the TensorFlowJS framework.

An AI model downloaded from external servers analyzes webpage screenshots captured from a virtual screen, identifying clickable advertisement components.

This intelligent approach mimics genuine user behavior, making fraudulent clicks harder for advertising networks to detect compared to basic automated scripts.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackMalwareThreat

Share Article

Jennifer sherman

Jennifer sherman

Jennifer is a cybersecurity news reporter covering data breaches, ransomware campaigns, and dark web markets. With a background in incident response, Jennifer provides unique insights into how organizations respond to cyber attacks and the evolving tactics of threat actors. Her reporting has covered major breaches affecting millions of users and has helped organizations understand emerging threats. Jennifer combines technical knowledge with investigative journalism to deliver in-depth coverage of cybersecurity incidents.

Previous Post

New ClearFake Campaign Leveraging Proxy Execution to Run PowerShell Commands via Trusted Window Feature

Next Post

Critical Chainlit AI Vulnerabilities Let Hackers Gain Control Over Cloud Environments

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical Cursor IDE RCE Vulnerabilities Allow Zero-Click Prompt Injection
July 1, 2026
Automated Password Spray Attacks Target Microsoft Azure CLI
July 1, 2026
Reduce Alert Fatigue to Improve SOC Efficiency and Cut Business Costs
July 1, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us