A new family of Android click-fraud trojans has been identified, utilizing TensorFlow machine learning (ML) models to automatically detect and interact with advertisement elements.
Mechanism of Operation
These trojans employ visual analysis based on ML, differing from traditional methods that rely on predefined JavaScript click routines or script-based DOM-level interaction. The threat actors use TensorFlow.js, an open-source library from Google, which enables ML models to run in browsers or on servers using Node.js.
Distribution Channels
Researchers at mobile security firm Dr.Web discovered these trojans distributed via GetApps, the official app store for Xiaomi devices. The malware is also spread through third-party APK sites such as Apkmody and Moddroid, often disguised as altered versions of popular apps like Spotify, YouTube, Deezer, and Netflix. Infected APK files are also found on Telegram channels and a Discord server.
Operational Modes
The malware operates in two primary modes:
- 'Phantom' Mode: A hidden WebView-based embedded browser loads a target page for click-fraud and a JavaScript file. After loading a trained ML model from a remote server, the hidden browser is placed on a virtual screen. Screenshots are then taken for TensorFlow.js to analyze and identify relevant UI elements, allowing the malware to simulate user interaction. This method is effective against dynamic and frequently changing ad structures.
- 'Signalling' Mode: This mode uses WebRTC to stream a live video feed of the virtual browser screen to the attackers. This enables real-time actions by the attackers, including tapping, scrolling, and text input.
Identified Infected Applications
Numerous games on Xiaomi’s GetApps platform were identified as distributing the malware. These apps initially appear legitimate and receive malicious components through subsequent updates. Examples include:
- Theft Auto Mafia (61,000 downloads)
- Cute Pet House (34,000 downloads)
- Creation Magic World (32,000 downloads)
- Amazing Unicorn Party (13,000 downloads)
- Open World Gangsters (11,000 downloads)
- Sakura Dream Academy (4,000 downloads)
Modified versions of streaming apps like Spotify X were also found on Discord and Telegram channels, with some of these malicious apps remaining functional, which helps reduce user suspicion.
Impact and User Advice
Click-fraud and ad fraud, while not directly threatening user privacy or data, are financially lucrative cybercriminal activities. The direct impact on users includes increased battery drainage, premature device degradation, and higher mobile data charges, as the malicious activity runs covertly in a hidden WebView. Android users are advised to avoid installing applications from sources other than Google Play, particularly altered versions of popular apps that promise additional features or free premium access.