Phantom Malware Strikes Android Devices Through Game Mods
Android smartphone users who enjoy downloading modified games and apps are now facing a new threat that could potentially turn their devices into tools for click fraud. Researchers at Doctor Web’s antivirus lab have discovered a malware strain, known as Android.Phantom, that is being distributed through popular titles and unofficial app sources.
Initially spotted after suspicious behavior was noticed in several Android games following updates in late September 2025, the malware has been found bundled with games like Creation Magic World, Cute Pet House, and Theft Auto Mafia. Once installed, the malware operates silently alongside the game without alerting the user.
According to Doctor Web’s report, the Android.Phantom malware operates in two modes controlled by remote servers. In the “phantom” mode, the malware uses a hidden browser component to load specific web pages, download scripts, and utilize machine learning to mimic user behavior and interact with ads through automated clicks. Additionally, the malware can establish peer-to-peer connections using WebRTC, allowing remote controllers to interact with the user’s screen in real time.
Doctor Web has observed the Android.Phantom toolkit evolving over time, with new capabilities added through regular updates. An additional module acts as a dropper, fetching more click-fraud components from various servers to expand the scale of fraud across different target sites.
Users may not easily detect the presence of this threat, as the affected games appear to function normally on the surface. It is recommended to avoid installing apps from third-party stores, as they pose a higher risk of containing malicious software. Even official app stores have been targeted by cybercriminals in the past, so caution is advised when downloading any apps.
