New Android malware uses AI to fake ad clicks—here's what you need to know
A sneaky new Android malware, called Android.Phantom.2.origin, is making the rounds. It uses Google's TensorFlow.js (yep, real machine learning) to spot and click ads automatically, but it also supports a signaling mode that streams the virtual browser via WebRTC to attackers and allows them to manually tap, scroll, and enter text in real time.
This makes it way smarter than typical ad fraud tricks and harder for security tools to catch.
How does this malware work?
The malware runs in "phantom" mode, hiding its activity by using a secret WebView that loads AI models from remote servers.
It fakes taps on ads without showing anything on your screen, which can seriously drain your battery and eat up data.
It can even be controlled remotely for live scrolling and tapping—pretty wild for a phone infection.
Where is it spreading?
It showed up in games from Shenzhen Ruiren Network Co., Ltd., after updates through Xiaomi's GetApps store.
But it's also hiding in modded versions of big-name apps like Spotify, YouTube, and Netflix shared on Telegram (like the Spotify Pro channel with 54K+ subs), Discord servers, Apkmody, and Moddroid.
Why is this 1 tough to stop?
Android.Phantom.2.origin downloads a trained TensorFlow.js model from a remote server, using ML-based visual analysis that makes it more resilient to dynamic ads.
Plus, its code is heavily obfuscated—making it tricky for antivirus apps to spot or remove.
If your phone starts acting weird or draining fast after installing sketchy apps or mods, this could be why!