AI-Powered Android Malware Secretly Clicks Hidden Browser Ads
Recent research has unveiled a new form of Android malware that employs AI technology for fraudulent activities. This malware, categorized as click-fraud trojans, utilizes TensorFlow machine learning models to discreetly click on hidden browser advertisements.
Key Features of the Malware
The malware differentiates itself by using visual analysis instead of traditional script-based interactions. It does not rely on pre-defined JavaScript click routines, making it a novel threat in the realm of mobile security.
Detection and Operation
According to findings from Dr.Web, a mobile security firm, this click-fraud malware operates primarily through Xiaomi’s official app store, GetApps. One notable feature is its ‘phantom’ mode, which incorporates a hidden WebView-based browser to engage in click-fraud activities automatically. This mode loads target web pages and executes JavaScript files designed to automate interactions with advertisements.
- The malware captures screenshots for analysis using TensorFlow.js.
- It taps on specific user interface elements to mimic legitimate user actions.
This approach boosts its effectiveness against dynamic advertisements, which frequently change formats and configurations, including the use of iframes or videos.
Advanced Functionality
The malware also features a ‘signalling’ mode that employs WebRTC technology to transmit a live video feed of the hidden browser to cybercriminals. This functionality allows attackers to perform real-time actions, such as navigating and inputting data on the virtual screen.
Distribution Methods
This sophisticated malware is packaged within various gaming apps available in the GetApps store. Initially, these applications appear benign, but they gain malicious elements through subsequent updates. Notable infected games identified include:
- Theft Auto Mafia — 61,000 downloads
- Cute Pet House — 34,000 downloads
- Creation Magic World — 32,000 downloads
- Amazing Unicorn Party — 13,000 downloads
- Open World Gangsters — 11,000 downloads
- Sakura Dream Academy — 4,000 downloads
Besides the official app store, the malware is also distributed via third-party APK sites such as Apkmody and Moddroid. These sites often host modified versions of popular applications like Spotify, YouTube, and Netflix, which may be infected.
Evidence of Infiltration
Reports indicate that many apps on Moddroid’s “Editor’s Choice” section may contain malicious code. Infected files are also propagated through Telegram channels, offering various modified apps. A Discord server with 24,000 members promoting an app called Spotify X has also been identified.
Impact on Users
While click fraud and ad manipulation may not pose a direct threat to personal data, they can lead to battery drain, increased mobile data usage, and premature device wear. Users are strongly advised to avoid downloading apps from outside Google Play, especially those promising free features or enhanced access.
Staying informed and cautious can minimize potential risks associated with these advanced click-fraud trojans.
