A sophisticated new Android malware family dubbed “Android.Phantom” that leverages artificial intelligence to automate ad-clicking fraud while establishing a persistent command-and-control infrastructure through dual-mode operation.
The malware operates through two distinct modes “phantom” and “signaling” controlled from the hxxps://dllpgd[.]click command server.
The ML model downloads from hxxps://app-download[.]cn-wlcb[.]ufileos[.]com and analyzes screenshots of virtual screens to identify and automatically click ad elements.
The more advanced signaling mode utilizes WebRTC technology to establish direct peer-to-peer connections, enabling attackers to broadcast live video streams of infected device screens and remotely control browsers for precise click manipulation.
In phantom mode, Android.Phantom. 2.origin deploys a hidden WebView browser that loads target advertising websites and executes a JavaScript file named “phantom” containing the TensorFlowJS machine learning framework.
This bidirectional capability transforms compromised devices into interactive bots under direct human or automated control.
Multi-Stage Malware Deployment
The attack chain evolved through strategic updates. Initial game versions remained clean until September 28/29, when developers integrated Android.Phantom.2.origin.
A subsequent October 15/16 update introduced Android.Phantom.5 dropper module, which delivers Android.Phantom.4.origin remote code loader to fetch additional clicker variants and the Android.Phantom.5.origin spyware component.
This modular design enables attackers to dynamically update payloads without redistributing entire applications.
The malware primarily spreads through six infected games on Xiaomi’s official GetApps marketplace, all published by SHENZHEN RUIREN NETWORK CO., LTD:
| Infected Game | Downloads |
|---|---|
| Creation Magic World | >32,000 |
| Cute Pet House | >34,000 |
| Amazing Unicorn Party | >13,000 |
| Sakura Dream Academy | >4,000 |
| Theft Auto Mafia | >61,000 |
| Open World Gangsters | >11,000 |
Beyond gaming apps, attackers infiltrated popular application mods, including Spotify Premium unlocks, YouTube ad-free versions, Deezer enhancements, and Netflix circumvention tools.
Distribution occurs through dedicated websites (Spotify Plus, Spotify Pro, Apkmody, Moddroid) and Telegram channels with substantial reach Moddroid.com channel alone maintains 87,653 subscribers.
A Discord server named “Spotify X” with approximately 24,000 members actively promotes infected mods, with administrators directly offering downloads.
Mitigations
Infection data reveals concentrated impact across European languages Spanish, French, German, Polish, and Italian speakers represent the most affected non-English demographics.
The malware poses multifaceted risks: devices become unwitting DDoS bots, facilitate illegal online activities, drain battery and data resources through continuous operation, and leak personal information including phone numbers, geolocation, and installed application lists via the spyware module.
Doctor Web emphasizes that users seeking unauthorized access to premium services particularly in regions with payment restrictions face heightened exploitation risk.
Children seeking free games and entertainment remain especially vulnerable due to limited digital hygiene awareness.
The researchers strongly recommend avoiding mod downloads from unverified sources and deploying comprehensive mobile security solutions to protect smartphones, tablets, gaming consoles, and smart TVs.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.