Android.Phantom trojans are bundled with modded games and popular apps to infiltrate smartphones. They use machine learning and video broadcasts to engage in click fraud
Real-time threat news | Hot news | All the news
January 21, 2025
Xiaomi’s GetApps software catalogue is one of its principal distribution channels.
We have been able to identify multiple games that contain the trojans. They include: Creation Magic World (over 32k downloads), Cute Pet House (over 34k downloads), Amazing Unicorn Party (over 13k downloads), Sakura Dream Academy (over 4k downloads), Theft Auto Mafia (more than 61k downloads), and Open World Gangsters (over 11k downloads). All of the compromised games appear to have been uploaded by a single developer—SHENZHEN RUIREN NETWORK CO., LTD. The trojans are bundled with the apps and start alongside them.
It is also worth mentioning that the original versions of the above-listed titles contained no malicious code. On September 28-29, the developer rolled out game updates that contained the Android.Phantom.2.origin trojan. This malicious program can operate in two modes that are designated in its code as the signalling and phantom modes.
In phantom mode, the malware uses its hidden WebView widget to load web content. Upon receiving a corresponding command from the server hxxps[:]//playstations[.]click, it loads a click fraud target site and downloads a JavaScript file named “phantom”. The file incorporates an automation script for interacting with ads on the site as well as the TensorFlowJS machine learning framework. The framework model is downloaded to the app’s directory from the server hxxps[:]//app-download[.]cn-wlcb[.]ufileos[.]com. To work with certain types of ads, Android.Phantom.2.origin outputs the content to a virtual screen and takes screenshots. The trojan will then use TensorFlowJS routines to analyse them and tap on the identified relevant elements.
In signalling mode, the trojan employs WebRTC to connect to a third-party server. This technology enables browsers and other apps to establish peer-to-peer connections and exchange data, audio, and video in real time with no additional software needing to be installed. When the signalling mode is enabled, the previously mentioned server hxxps[:]//dllpgd[.]click acts as a central server to help the WebRTC nodes find each other. This server also determines whether the trojan should run in phantom or signalling mode. Tasks related to targeted sites are provided by hxxps[:]//playstations[.]click. Then Android.Phantom.2.origin covertly transmits to the perpetrators a video showing a loaded website on a virtual screen. The trojan allows the connected WebRTC peer to remotely control the browser on the virtual screen: tap, scroll, and enter or paste text into the input form.
On October 15-16, yet another update was released for the above-mentioned games. In addition to Android.Phantom.2.origin, they delivered the Android.Phantom.5 module. It is a dropper that retrieves Android.Phantom.4.origin from other remote hosts. This malicious program downloads several other click-fraud trojans to operate on various sites. These modules feature a simpler design compared to Android.Phantom.2.origin—they're not enhanced with machine learning and streaming features but rely on pre-defined click-fraud routines in JavaScript.
To use WebRTC, the trojan requires the Java API, which is not shipped with Android by default and normally doesn't get downloaded with apps. That’s why at first, the trojan mostly ran in phantom mode. However, once Android.Phantom.5 had been introduced into the apps, Android.Phantom.2.origin was further enhanced with the Android.Phantom.4.origin dropper that delivered the API library it required.
Attackers also use other distribution channels to spread Android.Phantom.2.origin and Android.Phantom.5. For example, Spotify app mods with premium features unlocked are made available on various sites and in Telegram channels, including:
Spotify Plus
Spotify Pro
Telegram channels:
Spotify Pro
(54,400 subscribers)
Spotify Plus – Official
(15,057 subscribers)
The altered Spotify app that perpetrators offer on the websites and in the Telegram channels is bundled with Android.Phantom.2.origin and the WebRTC library.
In addition to the Spotify app mods, attackers also incorporate trojans into modified apps for other popular streaming services, including YouTube, Deezer, Netflix and more. These are usually available on portals offering modded APK files:
Apkmody
Moddroid
The Moddroid portal features the “Editor's Choice” section. Only 4 of the editor’s 20 picks proved to be malware-free. The remaining 16 contained Android.Phantom trojans. The apps found on these two sites are loaded from the same CDN server at hxxps[:]//cdn[.]topmongo[.]com. These catalogues are also available as Telegram channels where users download modified APK files containing trojans:
Moddroid.com
(87,653 subscribers)
Apkmody Chat
(6,297 subscribers)
Criminals also use Discord servers to promote and spread the infected apps. Spotify X is the most popular one. It has about 24,000 subscribers.
Its administrators don't shy away from offering compromised APK files to users in a more direct fashion. For example, the screenshot above shows how an administrator is offering visitors a Deezer music streaming app for download instead of a Spotify application, since the latter has stopped working.
The download link will provide the user with a program that actually works. Its code is protected with a proprietary packer concealing Android.Phantom.1.origin. Upon receiving an instruction from hxxps[:]//dllpgd[.]click will download the now well familiar Android.Phantom.2.origin, Android.Phantom.5, and the spyware trojan Android.Phantom.5.origin. The latter relays to the attackers information about the device—including the phone number, location, and a list of the installed apps.
This screenshot of the server shows what languages the impacted users speak. To access chat rooms in languages other than English, they have to react to the appropriate flag. Users who spoke Spanish, French, German, Polish and Italian appeared to be in the majority (English, which appears to be the server’s default language, is not factored in). Furthermore, the server administrators didn’t set up chat rooms for many Asian countries.
These trojans can inflict severe damage to the owners of infected devices. Here are just a few of the possible adverse consequences:
- An unsuspecting accomplice. A user's smartphone can be commandeered to partake in a DDoS attack and, by doing so, get its owner unwittingly involved in a cybercrime.
- Illegal activity. Attackers can use a compromised device to conduct illegal activities: run online fraud schemes or send spam messages.
- Increased battery use and traffic. Covert activities drain the battery and increase mobile data usage.
- Personal data leaks. Android.Phantom.5.origin is spyware that will transmit information about the device and its owner to a third party.
Trojans of this strain pose a threat to Android device owners who don't use up-to-date antivirus software. Sometimes users experience availability issues involving foreign online services, which forces them to seek out and use alternative and often shady methods to circumvent restrictions. This situation plays into the hands of virus makers as users are more likely to take chances and put their faith in dubious techniques. Children are particularly vulnerable. In their drive to play videogames, listen to music or watch videos, they tend to completely disregard information security basics.
We strongly advise you against downloading modified APK files from dubious sites and Telegram channels. As a rule, verifying the sources of such mods or apps takes time and requires some experience. That’s why using Dr.Web Security Space is probably the best way to ensure that you and your loved ones enjoy a worry-free experience with your mobile devices. Dr.Web protects not only smartphones but also game consoles, tablets and smart TVs.