A new malware family dubbed Android.Phantom has been identified targeting Android devices through popular mobile games and pirated “premium” app mods. The trojan specializes in automated advertising click fraud and covert data collection, while remaining largely invisible to victims. Distribution takes place via both official and unofficial channels, including the Xiaomi GetApps store, third‑party APK sites, Telegram groups and Discord servers.
Android.Phantom malware: architecture, infrastructure and attack chain
Security researchers link all known Android.Phantom variants to a common command‑and‑control (C2) infrastructure associated with the domain hxxps[:]//dllpgd[.]click. The malware either communicates directly with this C2 or is downloaded on demand through it, enabling flexible control over infected devices.
One of the most notable distribution vectors is Xiaomi’s official app marketplace GetApps. Several seemingly harmless games — Creation Magic World, Cute Pet House, Amazing Unicorn Party, “Sakura Dream Academy”, Theft Auto Mafia and Open World Gangsters — were published under the developer name SHENZHEN RUIREN NETWORK CO., LTD. Initially clean, these titles received updates in late September 2025 that embedded the trojan Android.Phantom.2.origin, turning legitimate entertainment apps into a delivery platform for fraud.
Two operating modes: phantom and signaling
Android.Phantom uses a dual‑mode architecture, switching between phantom and signaling modes depending on instructions from its operators.
In phantom mode, the trojan launches a hidden browser based on the Android WebView component. On command from hxxps[:]//playstations[.]click, it loads a target web page together with a special JavaScript payload named phantom. This script automates interaction with online ads and incorporates TensorFlowJS, a browser‑based machine learning framework. The malicious model is downloaded from hxxps[:]//app-download[.]cn-wlcb[.]ufileos[.]com into the app’s directory. The malware then creates a virtual screen, takes screenshots, analyzes them with TensorFlowJS to locate ad elements, and simulates realistic user clicks and scrolling. This approach is far harder to detect than simple scripted clicking, as it mimics human behavior on real ad placements.
In signaling mode, Android.Phantom leverages WebRTC, a technology normally used for browser‑based audio and video calls, to set up peer‑to‑peer sessions between the infected device and the attackers. The domain hxxps[:]//dllpgd[.]click acts as the signaling server, coordinating connections and selecting the operating mode. Tasks with target sites again arrive from hxxps[:]//playstations[.]click. The malware streams video of the virtual screen to the operators, who can remotely drive the browser in real time: perform clicks, scroll content, and enter text. This effectively turns the device into a remotely controllable “mobile browser farm” for fraud and abuse.
Distribution channels: GetApps, pirated APK mods, Telegram and Discord
On 15–16 October 2025, the compromised GetApps games received another update containing the module Android.Phantom.5. This component acts as a dropper, embedding the loader Android.Phantom.4.origin. Its role is to silently fetch and install additional clicker trojans that do not use machine learning or video streaming, relying solely on JavaScript scenarios. These lightweight variants are simpler but still profitable for operators running mass ad‑fraud campaigns.
Android.Phantom also circumvents a key technical obstacle: WebRTC support on Android typically requires an extra native library with a dedicated Java API, which is not present in the standard system image. Earlier waves of the campaign relied mostly on phantom mode. With Android.Phantom.5 and Android.Phantom.4.origin, the malware gained the ability to automatically download this missing WebRTC library, greatly expanding the use of signaling mode.
A second major infection vector involves modified Spotify APKs with unlocked premium features. These “free premium” builds are promoted via websites and Telegram channels such as “Spotify Pro” and “Spotify Plus – Official”, each boasting tens of thousands of subscribers. The mods bundle Android.Phantom.2.origin and an already integrated WebRTC library, making them fully weaponized on installation. Similar tactics are used for altered versions of YouTube, Deezer, Netflix and other services hosted on popular mod portals Apkmody and Moddroid. According to researchers, only 4 of 20 applications in Moddroid’s “Editor’s Choice” section were clean; the remaining sixteen carried Android.Phantom variants. APK downloads on both sites are served via a shared CDN at hxxps[:]//cdn[.]topmongo[.]com, amplified by Telegram communities Moddroid.com and Apkmody Chat.
Discord is exploited as an additional delivery ecosystem. A large server named Spotify X with about 24,000 members is used to distribute infected mods directly: administrators recommend “working” Deezer or Spotify builds and share links to malicious APKs. One Deezer mod, protected by a commercial packer, hides Android.Phantom.1.origin. On command from hxxps[:]//dllpgd[.]click, this loader fetches Android.Phantom.2.origin, Android.Phantom.5, and the spyware module Android.Phantom.5.origin, which exfiltrates the victim’s phone number, geolocation data and a list of installed applications. Language‑based channel analysis indicates particularly heavy impact on Spanish, French, German, Polish and Italian‑speaking users.
Why Android.Phantom is a high‑risk Android trojan
Android.Phantom combines several traits that significantly raise its risk profile: covert WebView and WebRTC usage, machine‑learning‑driven interaction via TensorFlowJS, modular loaders and droppers, and built‑in data‑harvesting capabilities. This blend complicates signature‑based detection and enables operators to scale click fraud while simultaneously building detailed profiles of infected devices.
The campaign also exploits user demand for entertainment and “free” premium content. Industry reports from Google and independent labs consistently show that installing apps from third‑party sources carries a markedly higher malware risk than using official stores. In regions where access to foreign services is restricted or paid subscriptions are harder to obtain, users are more inclined to seek pirated mods and unofficial APKs — an environment actively leveraged by cybercriminal groups.
Protecting Android devices from Android.Phantom and similar trojans
Mitigating the risk of infection by Android.Phantom and other Android trojan clickers starts with installation hygiene. Wherever possible, apps should be downloaded only from official marketplaces such as Google Play and trusted vendor stores, avoiding modified applications that promise unlocked paid features. Links to APKs shared via Telegram, Discord, forums or unverified websites should be treated as high‑risk, regardless of who posts them.
Baseline security measures include keeping the operating system and apps updated, enabling Google Play Protect where available, and using a reputable mobile security solution capable of detecting trojan loaders and suspicious WebView activity. Users should scrutinize requested permissions and watch for anomalies such as unexplained spikes in data usage, rapid battery drain, spontaneous browser activity or intrusive advertising.
For families, discussing app safety with children and teenagers is crucial, especially around the risks of “free premium” mods for games and streaming platforms. Where appropriate, parental control tools can help limit app sources and block unknown installations. Android.Phantom underlines how quickly threat actors adapt to user behavior and market conditions; raising awareness, refusing questionable mods and maintaining a layered defense remain key steps to lowering infection risk and preserving control over Android devices.
