What appeared to be harmless mobile apps were quietly doing much more behind the scenes, as security researchers uncovered a large-scale Android malware operation designed to exploit digital advertising systems without users ever noticing.
For several months, casual games and well-known media apps downloaded by tens of thousands of Android users seemed normal on the surface. Researchers now say these apps were part of a coordinated campaign that transformed smartphones into tools for industrial-level ad fraud, operating silently in the background.
Unlike data-stealing malware, this threat focused on clickjacking and advertising fraud. It did not steal passwords or personal messages. Instead, it drained battery life, increased device wear, and raised mobile data usage. These costs were absorbed by users, while illicit ad revenue flowed to the operators.
According to researchers at mobile security firm Dr.Web, the malware was embedded inside Android apps that secretly loaded ads and simulated user engagement. No alerts, pop-ups, or visible errors appeared. Users only experienced slightly warmer devices and faster battery drain. Researchers said this lack of visibility was intentional and central to the operation’s success.
The infected apps were distributed widely. Dr.Web reported that trojanized versions were shared through third-party APK platforms such as Apkmody and Moddroid. Many were disguised as modified or “premium” versions of popular services, including Spotify, YouTube, Deezer, and Netflix. Telegram channels also promoted infected files under names like Spotify Pro and Spotify Plus.
In one instance, a Discord server with nearly 24,000 subscribers promoted an infected app called Spotify X. Some of these apps delivered the promised features, reducing suspicion and encouraging downloads.
More concerning, researchers also found the malware inside games hosted on Xiaomi’s official GetApps store. Threat actors initially uploaded clean versions, then added malicious components through later updates. Identified titles showed download numbers ranging from a few thousand to over 60,000.
Technically, Android malware marked a shift from traditional script-based fraud. It used machine learning to analyze ads visually. After downloading a trained model, it displayed ads inside a hidden WebView, captured screenshots, and used TensorFlow.js to identify clickable elements. It then simulated realistic taps and gestures.
Researchers said this visual, human-like interaction helped the malware bypass modern fraud detection systems.
The malware also supported a live mode called “signalling,” allowing attackers to control the virtual browser in real time using WebRTC. All activity remained invisible to the phone owner.
Dr.Web warned that while personal data was not targeted, the scale and sophistication of the operation showed how advanced mobile ad fraud has become. Users were advised to avoid unofficial app sources and modified apps, even when they appear to work normally.
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream formerly known as CIO News LinkedIn Account | The Mainstream formerly known as CIO News Facebook | The Mainstream formerly known as CIO News Youtube | The Mainstream formerly known as CIO News Twitter
About us:
The Mainstream is a premier platform delivering the latest updates and informed perspectives across the technology business and cyber landscape. Built on research-driven, thought leadership and original intellectual property, The Mainstream also curates summits & conferences that convene decision makers to explore how technology reshapes industries and leadership. With a growing presence in India and globally across the Middle East, Africa, ASEAN, the USA, the UK and Australia, The Mainstream carries a vision to bring the latest happenings and insights to 8.2 billion people and to place technology at the centre of conversation for leaders navigating the future.
