Phantom malware hidden in Android game mods hijacks devices to run covert ad fraud, using remote control and machine learning to mimic user behavior.
Android Smartphone owners installing modified games and apps are now facing yet another threat that turns their devices into tools for click fraud, researchers at Doctor Web’s antivirus lab report. The malware, part of a family tracked as Android.Phantom, has been found bundled with popular titles and spreads through unofficial app sources and third‑party stores.
Researchers first noticed this strain after several Android games began behaving suspiciously following updates in late September 2025 from a single developer account. Titles such as Creation Magic World, Cute Pet House, and Theft Auto Mafia were clean before September 2025, but later distributed versions bundled with the trojan. Once installed, the malware launches along with the game without any visible alert to the user.
According to Doctor Web’s report, the Android.Phantom family operates in two modes controlled by commands from remote servers. In the so‑called “phantom” mode, the malware uses a hidden browser component to load specified web pages, then downloads a script and a machine‑learning model to analyse and interact with ads, mimicking real user clicks. It also pulls Machine‑learning code from an external host to assist in automating this interaction.
In its alternate mode, the malware sets up peer‑to‑peer connections using WebRTC, allowing remote controllers to see and interact with the user’s virtual screen in real time. That remote session can perform actions such as scrolling, tapping, and text input directly on the infected device.
Doctor Web also noted that the use of Android.Phantom toolkit has grown over time, with regular updates adding new capabilities. An additional module acts as a dropper, fetching more click‑fraud components from different servers. These additional pieces focus on predefined click routines across other target sites, broadening the scale of fraud.
It is worth pointing out that signs of this threat aren’t obvious to users. The affected games function normally on the surface, luring victims with familiar names and high download counts, while covert activity runs in the background. Researchers warn that installers sourced outside official app stores carry the highest risk, especially when obtained from APK portals or community channels in messaging apps.
Whether you use an Android device or an iPhone, it’s best to avoid installing apps from third-party stores. Even official app stores aren’t foolproof, as cybercriminals have managed to slip malicious apps into them in the past. Always think twice before downloading.