Android Malware Uses AI to Commit Click Fraud by “Seeing” and Tapping Ads Like a Human

New trojans abuse machine learning to bypass traditional ad-fraud defenses on mobile devices

Security researchers have identified a new family of Android click-fraud trojans that use machine learning and visual analysis to automatically detect and interact with online advertisements, marking a significant evolution in mobile ad fraud.

Unlike traditional click-fraud malware that relies on scripted JavaScript routines or DOM-level manipulation, this campaign uses computer vision powered by TensorFlow models to recognize ad elements visually and tap them in a way that closely mimics real user behavior.

How the AI-Driven Click Fraud Works

Researchers from Dr.Web found that the malware leverages TensorFlow.js, an open-source framework developed by Google, to run machine-learning models directly within JavaScript environments.

The trojan operates in a stealth mode called “phantom”, which uses a hidden WebView-based browser to load web pages that contain ads. After downloading a trained ML model from a remote server, the malware:

• Renders the page on a virtual screen
• Captures screenshots of the content
• Uses TensorFlow.js to identify ad elements visually
• Taps the correct UI elements to generate fraudulent ad interactions

This method allows the malware to adapt to dynamic ads, including those using iframes or video, making it more resilient than traditional click-fraud techniques.

Real-Time Control Through Live Video Streaming

The researchers also identified a second operational mode called “signalling.” In this mode, the malware streams a live video feed of the hidden browser to attackers using WebRTC.

This capability allows threat actors to manually interact with ads in real time by tapping, scrolling, or entering text remotely, further increasing the effectiveness of the fraud operation.

Distribution via Official and Unofficial App Sources

Dr.Web discovered that the malware spreads primarily through Xiaomi GetApps, the official app marketplace for Xiaomi devices.

The attackers upload games that initially appear clean. Malicious components are added later through app updates. Identified infected titles include:

• Theft Auto Mafia (61,000 downloads)
• Cute Pet House (34,000 downloads)
• Creation Magic World (32,000 downloads)
• Amazing Unicorn Party (13,000 downloads)
• Open World Gangsters (11,000 downloads)
• Sakura Dream Academy (4,000 downloads)

In addition, the trojans spread through third-party APK sites and modified versions of popular apps. Researchers found widespread infections in unofficial builds of Spotify, YouTube, Deezer, and Netflix.

The malware also propagates through Telegram channels and a Discord server with more than 24,000 subscribers promoting an infected app called Spotify X.

Why Victims Don’t Notice Anything

Some of the infected apps function normally, which lowers user suspicion. The click-fraud activity runs silently in the background using a hidden WebView rendered on a virtual display.

As a result, users see no visible signs of malicious behavior.

While click fraud does not directly steal personal data, it causes:

• Increased battery drain
• Faster device wear
• Higher mobile data usage

At scale, this activity generates significant revenue for cybercriminals.

What Android Users Should Do

Security experts advise Android users to avoid installing apps from unofficial sources and to stay away from modified or “premium” versions of popular applications.

Sticking to trusted app stores and carefully reviewing app permissions remain critical steps in reducing risk.