Android.Phantom

Android.Phantom is an Android trojan clicker family used for ad-click fraud on infected smartphones. Doctor Web reported it in January 2026 and linked its distribution to trojanized games and modified apps, including pirated mods of popular applications and streaming apps. The malware was observed in unofficial app sources such as third-party stores, APK portals, malicious websites, Telegram channels, Discord servers, and online software collections, and it was also found in Xiaomi’s official GetApps catalog. Reporting states that several infected GetApps titles were tied to developer SHENZHEN RUIREN NETWORK CO., LTD., and that previously clean apps received malicious updates in late September 2025. Mentioned trojanized titles include Creation Magic World, Cute Pet House, and Theft Auto Mafia. More than 155,000 downloads of compromised games were reported, and spread also occurred through modified versions of Spotify, YouTube, Netflix, and Deezer on unofficial platforms.

Android.Phantom operates in two modes controlled by attacker command servers, described as “phantom” and a WebRTC-based signaling/remote-control mode. In phantom mode, it launches alongside the trojanized app without visible alerts, uses a hidden browser/WebView to load attacker-specified websites, and downloads JavaScript automation code plus machine-learning components to analyze ads and perform clicks. The malware uses TensorFlowJS and externally downloaded machine-learning models to analyze webpage or advertisement screenshots, identify clickable ad elements, and mimic real user interactions at scale. If WebRTC is available, Android.Phantom can establish peer-to-peer connections and broadcast a virtual screen of the loaded website, allowing operators to view and interact with the infected device in real time, including scrolling, tapping, and text input, either manually or with automation. If WebRTC is unavailable, it falls back to downloaded JavaScript scripts and TensorFlowJS models from remote servers to automate interactions.

Doctor Web reported that Android.Phantom has been regularly updated and includes additional modules, including a dropper component identified in reporting as Android.Phantom.5, which retrieves remote code loaders and further click-fraud modules from multiple servers to broaden targeting across advertising platforms. Android.Phantom.2.origin was described as the primary variant. High-confidence indicators and characteristics directly mentioned in the content include use of WebView, WebRTC, JavaScript, TensorFlowJS, remote command servers, and externally hosted machine-learning models/scripts. The malware’s core objective is covert large-scale ad fraud while the bundled apps continue to appear functional to the user.