The malware can switch to a signalling mode that allows attackers to manually scroll and tap through a live stream of the virtual screen.
The malware is reportedly mainly spread through Android apps or games
Photo Credit: Unsplash/ NordWood Themes
Android users are being warned about a new and more advanced form of mobile malware that quietly uses machine learning technology to generate ad clicks in the background. Unlike earlier threats that relied on predictable scripts, this malware adapts to different ad formats and operates in a hidden mode, making detection harder. Security researchers say the threat was detected in apps on an OEM's app store, as well as websites that host APKs for third-party Android apps.
According to a Dr. Web report, security researchers have uncovered a new Android malware strain that uses an open-source machine learning library from Google to secretly generate ad clicks, highlighting the increasing sophistication of mobile threats.
Unlike traditional ad fraud tools that rely on fixed scripts, this malware uses Google's TensorFlow.js library to analyse visual elements on the screen. When an advertisement appears inside an app or game, it identifies clickable areas and interacts with them automatically. This lets the malware adapt to changing ad formats, layouts, and placements, including dynamically embedded ads.
The report adds that the malware can operate in a hidden “phantom” mode, where it launches a hidden WebView where ads are loaded and receive clicks entirely in the background. This inflates the click-through rates without any visible signs on the device. As a result, users may only notice indirect effects such as increased battery drain, higher data usage, or slower performance.
If automated interactions fail, the malware can switch to a signalling mode that allows attackers to manually control actions like scrolling and tapping using a WebRTC-based signalling mode, according to the researchers.
The report claimed that the malware is mainly spread through casual Android games. Several infected apps were found on Xiaomi's GetApps store, often after being updated with malicious components following initial approval. Infected apps have also circulated on third-party APK platforms such as Apkmody and Moddroid, as well as Telegram channels that distribute modified versions of popular apps.
To reduce the risk of malware, users are advised to avoid installing apps from unofficial sources, review recently downloaded games, enable Google Play Protect, and regularly audit app permissions. Keeping devices updated and running security scans can also help limit exposure to AI-driven mobile threats.
Catch the latest from the Consumer Electronics Show on Gadgets 360, at our CES 2026 hub.