New AI-powered Android trojan clicks ads — how it hits battery life, data usage and security
Researchers at Dr.Web, via Bleeping Computer, describe a Trojan that uses TensorFlow.js to visually recognize ad elements and simulate clicks in the background. We explain why this matters for your phone, your wallet, and national cyber-resilience.
By Tetiana Suchkova-Ladik
January 23, 2026 · 2 min read
Silent Pest: Why You Should Pay Attention
Dr.Web and Bleeping Computer reported on a new Android trojan that doesn't make noise and doesn't require visible permissions — it visually recognizes ads on pages using models run in the browser environment (TensorFlow.js), and simulates clicks in the background. For the user this isn't theatrical hacking — it's accelerated battery wear, increased mobile data costs, and risks to private data.
How the Trojan Works
Malicious code is added to legitimate apps through updates. It then operates in two modes: in “phantom” mode the models independently find and tap advertising elements, imitating human actions; in “signalling” mode the attackers control actions in real time. This approach makes detection harder with traditional script-based signatures.
"We observe the use of TensorFlow.js for visual recognition of advertising elements in the background — this is a new level of auto-clicker automation that is harder to track by standard methods."
— Dr.Web, security research team
Distribution Channels
The trojan was distributed through the GetApps store on Xiaomi devices and via third‑party repositories (Apkmody, Moddroid), as well as through popular channels on Telegram and Discord. Infected apps appear as familiar games or utilities (among those mentioned — Theft Auto Mafia, Cute Pet House, Sakura Dream Academy), so users rarely suspect a problem until the battery begins to drain quickly.
What Users and the Country Risk
The damage isn't only technical: data costs and device wear are tangible, but the main issue is that it provides a foothold for more complex attacks. Auto-click modules can mask other functions or generate "noisy" activity that distracts from the attackers' real operations. During wartime, when mobile devices are key to communications and critical services, even a "safe" app in the context of mass infection undermines overall cyber-resilience.
Practical Steps for Protection
Experts recommend pragmatic actions:
- Do not install apps from unverified sources; avoid "cracked" APKs and dubious "premium for free" offers.
- Check permissions of installed apps; pay attention to programs allowed to run in the background and those with network access.
- Use official stores or trusted vendor services, enable Play Protect, and keep your OS and apps updated.
- Monitor battery and data: unexpectedly high usage can be an indicator of infection.
- Remove suspicious apps and scan the device with antivirus software from well-known vendors (for example, Dr.Web); if you have serious suspicions — back up your data and perform a factory reset.
- Report discovered threats to CERT‑UA and to your device's vendor.
Context and Outlook
This campaign is an example of how cyber threats evolve: from simple auto-clicker scripts to the use of machine learning models in the browser environment. Analysts note that similar mechanisms could become a platform for more sophisticated frauds, including financial losses in the future. Earlier in 2025 there were cases of trojans that could steal funds or manipulate data of large models — the trend is expected to grow.
Now the question is not only whether this will affect a single phone — but how quickly we, as users, the industry, and the state, will be able to detect and block such threats in order to preserve critical communications and user trust.
