Android click-fraud trojans using TensorFlow.js to automate hidden ad taps
Malware Activity
Summary
Hide ▲
Show ▼
The Android click-fraud trojan family now uses TensorFlow.js to identify and tap ad elements on Android devices, making fraudulent clicks more adaptive and harder to spot. The malware’s covert hidden WebView workflow lets it mimic normal user activity while driving ad traffic. It is also spread through Xiaomi GetApps and third-party APK channels, expanding exposure beyond trusted app sources. The main user impact is battery drainage and increased mobile data charges.
Related Happenings
RedWing Android spyware rented through Telegram
Malware Activity
H score21
First: 08.07.2026 18:30
Last: 08.07.2026 18:30
Sources 1
About this happening:
The **RedWing** Android spyware operation is being rented through **Telegram**, lowering the barrier for criminals to hijack phones and steal **banking credentials**. The malware...
RedWing Android spyware rented through Telegram
Malware ActivityAbout this happening: The **RedWing** Android spyware operation is being rented through **Telegram**, lowering the barrier for criminals to hijack phones and steal **banking credentials**. The malware...
Bright Data iOS SDK teardown reveals unauthenticated scraping relay and VPN bypass
Technical Analysis
H score45
First: 06.06.2026 11:29
Last: 06.06.2026 11:29
Sources 1
About this happening:
Researchers **reverse-engineered Bright Data's iOS SDK** and found it can turn consumer devices into **exit nodes** for web-scraping traffic. The teardown showed the job channel h...
Bright Data iOS SDK teardown reveals unauthenticated scraping relay and VPN bypass
Technical AnalysisAbout this happening: Researchers **reverse-engineered Bright Data's iOS SDK** and found it can turn consumer devices into **exit nodes** for web-scraping traffic. The teardown showed the job channel h...
WeedHack YouTube and SEO poisoning campaign targeting Minecraft players
Campaign
H score73
First: 03.06.2026 00:54
Last: 03.06.2026 00:54
Sources 1
About this happening:
**WeedHack** is a **Minecraft-focused malware-as-a-service (MaaS)** campaign that uses **YouTube** and **SEO poisoning** to push malicious **mods, clients, cheats, and utilities**...
WeedHack YouTube and SEO poisoning campaign targeting Minecraft players
CampaignAbout this happening: **WeedHack** is a **Minecraft-focused malware-as-a-service (MaaS)** campaign that uses **YouTube** and **SEO poisoning** to push malicious **mods, clients, cheats, and utilities**...
Trapdoor Android malvertising and ad-fraud campaign
Campaign
H score39
First: 19.05.2026 19:38
Last: 19.05.2026 19:38
Sources 1
About this happening:
The **Trapdoor** campaign is a **self-sustaining malvertising and ad-fraud operation** targeting **Android users** and turning app installs into revenue through threat-actor-contr...
Trapdoor Android malvertising and ad-fraud campaign
CampaignAbout this happening: The **Trapdoor** campaign is a **self-sustaining malvertising and ad-fraud operation** targeting **Android users** and turning app installs into revenue through threat-actor-contr...
Google rolls out Android Intrusion Logging in Android Advanced Protection Mode
Security Tool/Service
H score10
First: 14.05.2026 16:30
Last: 14.05.2026 16:30
Sources 1
About this happening:
Google has released **Android Intrusion Logging** for **Android Advanced Protection Mode**, giving **high-risk Android users** encrypted forensic logs to investigate suspected **s...
Google rolls out Android Intrusion Logging in Android Advanced Protection Mode
Security Tool/ServiceAbout this happening: Google has released **Android Intrusion Logging** for **Android Advanced Protection Mode**, giving **high-risk Android users** encrypted forensic logs to investigate suspected **s...
Timeline
-
22.01.2026 00:07 2 articles · 5mo ago
Dr.Web reports Android click-fraud trojans using TensorFlow.js and hidden WebView
Initial DisclosureDr.Web identified a new family of Android click-fraud trojans that uses TensorFlow.js and a hidden WebView to visually detect and tap ad elements instead of script-based DOM click routines. The malware is distributed through Xiaomi GetApps, third-party APK sites, Telegram channels, and a Discord server, and it operates with 'phantom' and 'signalling' modes that can covertly automate clicks or stream the virtual browser screen for operator control. Affected Android users can experience battery drainage, premature battery degradation, and increased mobile data charges.
Show sources
- New Android malware uses AI to click on hidden browser ads — www.bleepingcomputer.com — 22.01.2026 00:07
- New Android malware uses AI to click on hidden browser ads — www.bleepingcomputer.com — 22.01.2026 00:07