Key Findings

• Android game mods bundled with "Android.Phantom" malware hijack devices for covert ad fraud

• Malware operates in two modes - "phantom" mode for automated ad interaction and remote control mode for real-time device control

• Uses machine learning techniques to mimic user behavior and avoid detection

• Spreads through unofficial app stores and third-party sources, not the official Google Play Store

• Affects popular game titles with high download counts, making it difficult for users to detect

Background

Researchers at Doctor Web's antivirus lab have identified a malware family called "Android.Phantom" that is being bundled with modified versions of popular Android game apps. This malware hijacks infected devices to run covert ad fraud operations, leveraging advanced techniques like remote control and machine learning to avoid detection.

The malicious apps were first noticed in late September 2025, when several Android games from a single developer account began exhibiting suspicious behavior after updates. Titles like "Creation Magic World", "Cute Pet House", and "Theft Auto Mafia" were previously clean but later distributed versions contained the Android.Phantom malware.

Malware Operation

The Android.Phantom malware operates in two distinct modes controlled by remote commands:

1. "Phantom" Mode: In this mode, the malware uses a hidden browser component to automatically load specified web pages, download scripts and machine learning models, and interact with ads to generate fraudulent clicks. It utilizes advanced ML techniques to mimic real user behavior.

2. Remote Control Mode: The malware sets up peer-to-peer connections using WebRTC, allowing remote operators to view and control the infected device's screen in real-time. This enables them to directly perform actions like scrolling, tapping, and text input.

Researchers also found that the Android.Phantom toolkit receives regular updates, adding new capabilities over time. An additional module acts as a dropper, fetching more click-fraud components from different servers to expand the scale of the fraud operation.

User Impact and Mitigation

The malicious apps are designed to blend in with legitimate games, taking advantage of high download counts and familiar titles to lure victims. The covert malicious activity runs in the background without any obvious signs to the user.

Researchers warn that installing apps from unofficial sources, such as APK portals or community channels, carries the highest risk of encountering this type of threat. Even the official Google Play Store is not entirely immune, as cybercriminals have managed to slip malicious apps past its defenses in the past.

To stay safe, users should avoid downloading Android apps from third-party stores and stick to the official Google Play Store. Additionally, being cautious when installing any new apps, even from the Play Store, and keeping devices updated with the latest security patches can help mitigate the risk of falling victim to such sophisticated malware campaigns.

Sources

• https://hackread.com/phantom-malware-android-game-mods-ad-fraud/

• https://www.instagram.com/p/DT-qA9oj0aI/