It’s a common frustration for many Android users: the smartphone battery that drains inexplicably by midday, the device that overheats even when in standby, or an anomalous mobile data consumption compared to one’s own habits.
Often the blame is attributed to hardware wear or to an operating system that is not well optimized, but recent discoveries in cybersecurity suggest a much more insidious cause.
Behind these symptoms might hide a new and sophisticated family of trojans, designed to generate illicit profits through advertising fraud, which nests right in those modified apps as sought after by users to obtain premium services at zero cost.
The AI Trojan family is spreading via the Xiaomi Store and cracked apps
What distinguishes this new wave of malware, identified by researchers from Dr.Web, is the high level of technological sophistication employed.
We’re no longer dealing with simple scripts that blindly click on hidden links. Cybercriminals have made a leap in quality, integrating machine learning models based on TensorFlow, Google’s famous open-source library.
Traditionally, trojans dedicated to “click-fraud” attempted to interact with the code of web pages to simulate a click, a technique now easily detectable by modern security systems.
The new threat operates in a way that is much more human-like. The malware uses a mode called “phantom”, creating a hidden browser inside of an invisible virtual screen to the user.
Here, it loads the target pages and uses TensorFlow.js to visually analyze what appears on the screen. The software takes screenshots of the page, recognizes the advertising elements and decides where to “tap”.
This ability to see and interpret the interface makes the malware extremely resilient to changes in website layouts and very difficult to distinguish from a real user.
There’s even a more invasive mode, called “signalling”, that allows criminals to receive real-time streaming of the virtual browser via WebRTC, enabling them to take manual control to scroll through pages or enter text.
From games on the Xiaomi Store to Spotify mods
The distribution strategy is wide-reaching and skillfully exploits users’ trust. An unexpected infection vector was identified in GetApps, the official store for Xiaomi devices.
Here, several seemingly harmless games, such as “Theft Auto Mafia” or “Cute Pet House“, hid the malicious code. Here’s a list of some infected apps discovered:
- Theft Auto Mafia – 61,000 downloads
- Cute Pet House – 34,000 downloads
- Creation Magic World – 32,000 downloads
- Amazing Unicorn Party – 13,000 downloads
- Open World Gangsters – 11,000 downloads
- Sakura Dream Academy – 4,000 downloads
The tactic used is the delayed “Trojan horse”: the apps are initially uploaded to the store in a clean version to bypass security checks, receiving the malicious components only later via subsequent updates.
However, the most massive distribution channel concerns the world of modded apps, i.e., altered versions of popular services such as Spotify, YouTube, Netflix and Deezer, advertised as free and ad-free.
Highly frequented third-party portals, such as Apkmody and Moddroid, have proven fertile ground for this campaign. Researchers noted that most apps in Moddroid’s section “Editor’s Choice” were infected.
The distribution also extends to messaging platforms: Telegram channels and Discord servers with tens of thousands of subscribers push infected APK files with names like Spotify Pro or Spotify X.
The apps work but real risks
The most insidious aspect of this threat is that the downloaded apps actually work. The user effectively gains access to the promised premium features, drastically lowering the threshold of suspicion.
While the unsuspecting victim listens to music without commercials, the phone’s processor works tirelessly in the background, handling the hidden browser and the AI processing needed to defraud the advertising networks.
Although this type of fraud does not directly target the theft of banking data or credentials, the impact on the end user is tangible and costly.
The ongoing activity of the malware causes premature battery degradation, forcing more frequent charging cycles, and can lead to unexpected costs due to high data traffic consumption.
The recommendation remains the same: avoid installing APK files from unofficial sources and beware of offers that promise services for free that would normally require a subscription. The price of that saving, in the end, is paid by our device.
