A new strain of Android malware is abusing on-device AI to silently click ads and, in some cases, take over your screen. Security analysts at Dr.Web, as reported by Bleeping Computer, say the trojan hides inside casual games and is spreading through third-party app stores and channels, including Xiaomi’s GetApps, rogue APK sites, and Telegram groups offering “modded” apps.
On the surface, this looks like garden-variety ad fraud. Under the hood, it’s notable: the code uses machine learning to mimic real users with a level of nuance that makes old-school detection far less effective. That sophistication opens the door to broader abuse, from data theft to using your device as a vector to infect others.
How the AI-driven Android ad fraud operates under the hood
Researchers say the malware bundles models that run locally via TensorFlow.js, Google’s open-source ML framework for JavaScript. When an interstitial or rewarded ad appears, the model analyzes screen content, identifies click targets, and fires off taps without the user touching the device. Because ads vary by creative, placement, and timing, the ML layer helps the malware adapt in real time.
To keep activity out of sight, the trojan can spin up a hidden browser window — a so-called “phantom” mode — to load and interact with ads in the background. That avoids obvious UI anomalies and can operate even when the game is minimized, quietly inflating click-through rates and payouts.
When automation misfires, operators can fall back to “signaling,” a control technique where instructions from a command server trigger on-screen actions such as scrolling and tapping. That same capability to simulate input is why researchers warn the threat extends beyond ad fraud: with device interaction at its disposal, the malware could be repurposed to phish credentials, authorize purchases, or install additional payloads.
Where the malware is spreading and the channels involved
Dr.Web links several infected titles to a single publisher, Shenzhen Ruiren Network Co., Ltd., and notes that some were available on Xiaomi’s GetApps store. Others have been circulating on popular APK hubs such as Apkmody and Moddroid, as well as Telegram channels that trade in altered versions of paid or subscription apps.
Threats like this exploit the fragmented Android app ecosystem. Alternative stores and sideloading can be useful, but vetting standards vary widely. While Google Play Protect has expanded real-time scanning for sideloaded apps, anything installed from unknown sources increases risk — especially “modded” packages that invite tampering by design.
Why this threat matters beyond fake clicks and ad fraud
For users, the immediate impact includes battery drain, overheating, unexpected data usage, and sluggish performance as the malware loads ads and hidden web views. The bigger concern is capability creep: if an operator can drive your screen, they can steer you toward malicious logins, authorize permissions, or pivot to more serious compromises.
For the industry, AI-driven ad fraud scales quickly. Google’s most recent Ads Safety reporting cites more than 5 billion bad ads blocked or removed in a year, illustrating the scope of the arms race. Independent analyses from firms like Juniper Research and the Association of National Advertisers regularly peg digital ad fraud losses in the tens of billions annually. Models that better mimic human behavior make those losses harder to contain.
What you should do now to protect your Android device
Uninstall any unfamiliar casual games you grabbed from third-party stores, APK sites, or Telegram links — especially if they began showing aggressive ads or caused sudden battery or data spikes. If you use Xiaomi’s GetApps, review recent installs and remove titles from unknown developers, including any associated with Shenzhen Ruiren Network Co., Ltd.
Run a fresh device scan. Enable Google Play Protect and trigger a manual check from the Play Store settings. Consider a reputable mobile security app from well-known vendors such as Dr.Web, Bitdefender, ESET, or Kaspersky to catch sideloaded threats.
Audit sensitive permissions. In Settings, review Accessibility, Install Unknown Apps, and Display Over Other Apps. Revoke access for apps that shouldn’t need it. Check per-app mobile data usage and restrict background data for anything suspicious. Keep your system and any OEM app stores up to date.
For organizations, enforce mobile device management policies that block sideloading, restrict alternative stores, and monitor for anomalous network activity. Educate users about the risks of “modded” APKs and the growing use of AI in mobile fraud.
The takeaway: adware on Android is not new, but pairing it with on-device machine learning is. Treat unofficial app sources with extreme caution, and don’t ignore the subtle signs of a phone working when you aren’t. If AI can click like a human, it can just as easily be turned toward attacks that matter far more than an inflated ad bill.