New Android trojan uses AI for sophisticated click fraud

A new family of Android click-fraud trojans is leveraging TensorFlow machine learning models to automatically detect and interact with specific advertisement elements, researchers at Dr.Web have found. This advanced mechanism relies on visual analysis rather than traditional JavaScript routines, making it more resilient against modern ad variability, Bleeping Computer reports.

The threat actor employs TensorFlow.js, a Google library, to run AI models within a hidden WebView. This "phantom" mode analyzes screenshots to identify and tap ad elements, mimicking normal user activity. A "signalling" mode streams live video feeds to attackers for real-time interaction. The malware is distributed through Xiaomi's GetApps store, initially appearing in legitimate games and receiving malicious components in subsequent updates. It is also found on third-party APK sites like Apkmody and Moddroid, often disguised as modified versions of popular apps such as Spotify and Netflix, as well as through Telegram channels and Discord servers. Some infected apps function normally, masking the covert click-fraud operations.

While click fraud may not pose an immediate data privacy threat, it represents a significant and lucrative cybercriminal activity. The primary impact on users includes increased battery drain, premature device degradation, and higher mobile data charges. Android users are strongly advised to exercise caution and avoid installing applications from sources outside the official Google Play Store, particularly modified versions of popular apps that promise unauthorized premium features or free access.

Source: Bleeping Computer