Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Android click-fraud trojans using TensorFlow.js to automate hidden ad taps

Malware Activity
First reported
Last updated
Happening score
H score 10
1 unique sources, 1 articles

Summary

Hide ▲

The Android click-fraud trojan family now uses TensorFlow.js to identify and tap ad elements on Android devices, making fraudulent clicks more adaptive and harder to spot. The malware’s covert hidden WebView workflow lets it mimic normal user activity while driving ad traffic. It is also spread through Xiaomi GetApps and third-party APK channels, expanding exposure beyond trusted app sources. The main user impact is battery drainage and increased mobile data charges.

Related Happenings

Trapdoor Android malvertising and ad-fraud campaign

Campaign
First: 19.05.2026 19:38 Last: 19.05.2026 19:38 Sources 1

About this happening: The **Trapdoor** campaign is a **self-sustaining malvertising and ad-fraud operation** targeting **Android users** and turning app installs into revenue through threat-actor-contr...

Open Happening

Google rolls out Android Intrusion Logging in Android Advanced Protection Mode

Security Tool/Service
First: 14.05.2026 16:30 Last: 14.05.2026 16:30 Sources 1

About this happening: Google has released **Android Intrusion Logging** for **Android Advanced Protection Mode**, giving **high-risk Android users** encrypted forensic logs to investigate suspected **s...

Open Happening

Android Intrusion Logging forensic logging rollout for spyware investigations

Security Tool/Service
First: 13.05.2026 09:55 Last: 13.05.2026 09:55 Sources 1

About this happening: **Android** is adding **Intrusion Logging**, an opt-in forensic feature in **Advanced Protection Mode** that preserves device and network activity for suspected spyware compromise...

Open Happening

TrickMo Android banking malware adds TON-based covert command-and-control

Malware Activity
First: 11.05.2026 12:03 Last: 11.05.2026 12:03 Sources 1

About this happening: The **TrickMo Android banking malware** has added **TON-based covert command-and-control**, making its operator infrastructure harder to identify, block, or take down for victims...

Open Happening

CallPhantom Google Play fraud campaign targeting Android users in India and Asia-Pacific

Campaign
First: 08.05.2026 18:08 Last: 08.05.2026 18:08 Sources 1

About this happening: The **CallPhantom** fraud campaign pushed **28 fake call-history Android apps** through the **Google Play Store**, causing **financial loss** for users who paid for fabricated dat...

Open Happening

Timeline

  1. 22.01.2026 00:07 2 articles · 4mo ago

    Dr.Web reports Android click-fraud trojans using TensorFlow.js and hidden WebView

    Initial Disclosure

    Dr.Web identified a new family of Android click-fraud trojans that uses TensorFlow.js and a hidden WebView to visually detect and tap ad elements instead of script-based DOM click routines. The malware is distributed through Xiaomi GetApps, third-party APK sites, Telegram channels, and a Discord server, and it operates with 'phantom' and 'signalling' modes that can covertly automate clicks or stream the virtual browser screen for operator control. Affected Android users can experience battery drainage, premature battery degradation, and increased mobile data charges.

    Show sources
    Open in new tab