Android phones are once again in the crosshairs of cybercriminals with the emergence of a new family of Trojans hiding in manipulated games and applicationsThis malware takes advantage of modified versions of popular titles and well-known apps to infiltrate devices and use them for illegal activities without the user's knowledge.
Researchers at the Doctor Web security lab have identified this malicious code, which they have named Android.Phantom, a Trojan capable of operating in different modes according to the orders it receives from a remote server. Its main objective is to generate profits through fraudulent advertisements and, at the same time, add infected mobile phones to an infrastructure for online attacks and fraud.
What is Android.Phantom and why is it hiding in games?
According to experts, Android.Phantom is primarily distributed through games and altered applications These apps are presented as improved or free versions of popular products. Users install them thinking they'll get extra benefits, but in reality, they're introducing a Trojan horse with advanced capabilities onto their phone or tablet.
This malware stands out because It uses machine learning techniques through TensorFlowJSIt's an artificial intelligence framework that runs in the browser to automate tasks within web pages loaded in the background. This combination of AI and automation scripts makes malicious behavior more flexible and harder to detect.
The choice of well-known games and apps is not accidental: Cybercriminals take advantage of user trust and high download volume. which these types of content often contain. Furthermore, many people search for modified versions (mods) outside of official stores to unlock paid features or advantages within the game, which facilitates the spread of the Trojan through unmonitored channels.
Doctor Web emphasizes that Infected applications often reach the user disguised as legitimate products.especially when distributed through third-party stores or alternative repositoriesThe threat is often introduced in later updates, so even someone who originally downloaded a clean app can end up compromised later on.
Two operating modes: ghost and signaling
Researchers have found that Android.Phantom can work in two different modes depending on the instructions it receives from an external server.This command and control-based architecture allows the operator to change the malware's behavior at any time.
In the call In ghost mode, the Trojan loads web content in the background and performs automated clicks on malicious adsTo achieve this, it combines automation scripts with TensorFlowJS, making it possible to simulate the interaction of a real user. This fake click traffic generates illegitimate revenue for the attackers through advertising networks.
The other usage profile, called Signaling mode is designed for the exchange of real-time data, audio, and video. without the user having to install specific programs for that function. In this way, the compromised device can become a conduit for opaque communications or form part of more complex cybercrime infrastructures.
This dual capability makes it Android.Phantom is especially versatile: it can act as a tool for ad fraud, but also as a platform to coordinate and support other illegal operations.All of this is managed remotely, adjusting the commands as needed by the Trojan operators.
The use of artificial intelligence frameworks on the device itself makes this malware an example of how machine learning techniques are being incorporated into cybercrime campaignsnot only to improve attacks but also to try to circumvent traditional detection mechanisms.
Illegal activities and risks to the user
Beyond ad fraud, Doctor Web researchers warn that Android devices infected with this Trojan can be exploited to launch distributed denial-of-service (DDoS) attacksIn this type of attack, thousands of compromised computers send simultaneous traffic to a target to take it offline.
The Trojan horse can also participate in various forms of online fraud and mass spam sendingusing the user's device as the apparent source of the malicious activity. This not only harms the victims of these scams, but can also cause problems for the mobile phone owner if their line or IP address is linked to these actions.
Another of the risks mentioned is the possible theft of information stored on the terminalThis includes everything from personal data to credentials used in applications and services. Although the technical details of all the data theft functions have not been made public, the ability to communicate in real time with a remote server facilitates the exfiltration of sensitive information.
Overall, Android.Phantom behaves like a multi-functional threat capable of generating economic benefits, supporting cybercrime campaigns, and compromising user privacyThe real impact will depend on how the operators who control the network of infected devices decide to exploit it.
Indicators: battery, mobile data, and performance
Although the Trojan tries to act discreetly, Their activity leaves traces on the device's behavior.One of the most obvious signs is the noticeable increase in battery consumption, as the device remains active in the background loading pages, running scripts, and maintaining connections with remote servers.
Specialists have also observed a marked increase in the use of mobile data and WiFi connectionsThis is a consequence of the continuous traffic generated by the malware when loading web content and communicating with the command and control infrastructure.
In some cases, the user may notice that The phone gets hotter than usual or runs slowerespecially if the Trojan is constantly running intensive tasks. However, these symptoms aren't always immediately associated with an infection, so the problem can go unnoticed for weeks.
If these factors are added together, The cost to the user can be twofold: on the one hand, a deterioration of the user experience and, on the other, possible additional costs on the mobile data bill. if the contracted plan has a gigabyte limit or charges for excess consumption.
Detection in games from the Xiaomi store
Doctor Web has documented that Some of the detected infections are linked to games available on the Xiaomi app storeThese titles had been published by the developer Shenzhen Ruiren Network, who had initially uploaded legitimate versions and, in a later update, introduced the malicious code.
Thus, Users who downloaded a seemingly harmless game found that a subsequent update incorporated the Android.Phantom Trojan. without them having to install a new app from scratch. This type of strategy complicates detection, since it relies on the trust generated by an application that was already on the device.
Although the alert has focused on the Xiaomi store, The case illustrates the risks associated with alternative or manufacturer app storesThese apps sometimes lack the same filters and security controls as Google Play. For users in Spain and Europe, where imported phones or phones purchased online are common, this scenario is not unlikely.
Authorities and security providers typically recommend that, When using third-party stores, exercise extreme caution and review the developer's information and other users' comments.However, even these measures are not foolproof if the problem is introduced through updates that ostensibly improve the game.
Spotify modification and distribution via Telegram
In addition to games, researchers have identified that Android.Phantom has also been distributed through a modified version of Spotify which promised advanced features and access to premium features without paying the official subscription.
This altered version of the music application It is spreading mainly through Telegram channels and unofficial websitesThese are two very common ways to share modified APKs. Users, attracted by the possibility of obtaining free benefits, download and install the app without going through the official store.
As it is a very popular service in Spain and the rest of Europe, Fake versions of Spotify are a particularly effective lureMany users may not be fully aware of the risk involved in installing an external APK, especially when it is recommended in seemingly trustworthy groups or channels.
The case of this manipulated app reinforces Doctor Web's message, which It strongly advises against downloading modified APK files from websites or Telegram channels of dubious origin.Although the allure of extra features may be tempting, the cost in terms of security can be very high.
Security recommendations for Android users
Given this scenario, experts highlight several best practices for reduce the likelihood of falling victim to Trojans like Android.PhantomThe first and most obvious is to always prioritize downloading apps from Google Play or other official stores with stricter review systems.
If using manufacturer stores or alternative repositories, it is key Carefully review the developer, the date of the last updates, and other users' comments.as well as being wary of titles that promise disproportionate advantages or features that do not match the original versions.
Experts also emphasize the importance of Keep antivirus software updated on your deviceThis is especially true on mobile phones and tablets, which are used daily to access online banking, social media, email, and other sensitive services. Many security solutions are capable of detecting anomalous behavior like that of Android.Phantom.
Another basic recommendation is Be wary of links and files shared on Telegram channels, messaging groups, or unfamiliar websites.Especially when they offer free "premium" versions of paid apps or mods for popular games. Before installing anything, it's wise to consider whether the supposed benefit outweighs the risk.
Finally, users should pay attention to Symptoms such as a sudden increase in battery consumption, data traffic, or unusual device heatingThese signs do not always imply an infection, but they are a sign that something may be wrong and that it is worthwhile to perform an analysis with a reliable security tool.
Everything points to Android.Phantom joining the list of sophisticated threats targeting mobile devices. using modified games and apps as a Trojan horse to gain access to devicesBetween ad fraud, potential involvement in DDoS attacks, and data theft, this Trojan reflects the extent to which it is advisable to take extreme precautions when installing software on Android, and especially when being swayed by "improved" versions circulating outside of official channels.
