MagicAd Android Malware Floods Devices with Ads, B

MagicAd, a newly discovered Android trojan, is flooding infected devices with advertisements, adeptly bypassing the operating system’s native restrictions. This activity was detailed in What makes this threat stand out is not just what it does, but how it does it. It uses multiple techniques to keep showing ads in the background, even after the infected app has been completely closed by the user.

The malware was found hiding inside more than 50 games and apps listed on GetApps, the official app store for Xiaomi devices. Each infected app would appear in the store for a short time, usually around a month, then quietly vanish and get replaced by a new one.

This rotation strategy appeared to be a deliberate move to avoid early detection, while keeping the threat active on users’ devices long after the app was removed.

Dr.Web said in a report shared with Cyber Security News (CSN) that MagicAd first appeared in 2025 and was also found in the Samsung Galaxy Store around that same time.

Once an infected app is installed, it continues its malicious activity even if the original upload is pulled from the store. The developers behind these apps have since stopped distributing new infected uploads, but devices already compromised remain at risk.

Before jumping into action, the trojan quietly checks whether it is being watched or analyzed. It looks for signs of virtual machines, checks whether the install came through a real user, and verifies the device’s network address against an internal blacklist.

If everything looks normal, it hides its own icon from the app menu and sets up silent background services that keep it running at all times.

The malware’s reach is not limited to Xiaomi devices. Variants were designed to target Vivo smartphones and Amazon Fire TV devices as well, making it a broader threat than it might initially appear.

New MagicAd Android Malware

The core trick MagicAd uses is launching ads without ever asking for the permission that normally allows an app to place windows over other apps.

Instead, it loads advertising banners as what is called a Translucent Activity, letting them appear on screen without triggering the usual permission checks.

On Xiaomi devices, the trojan sends crafted messages called intents to built-in system apps like Mi Browser and Miui SystemUI. These are trusted programs that can receive instructions even when not open, so MagicAd uses them as a relay to push ads onto the screen.

On Vivo devices, a similar approach uses Android Binder, a lower-level system channel, targeting iManager, Phonebook, Vivo Browser, and Baidu IME Customized to achieve the same result.

The most inventive method works across nearly all Android devices regardless of manufacturer. MagicAd decrypts a hidden audio file from its own code, launches the system media player at zero volume, and links it to Android’s global media controls.

It then simulates a button press using a background command, which hands control back to the malware so it can silently launch the ad. The user sees an ad appear with no obvious reason why.

How It Persists and What Users Can Do

MagicAd does not rely on a single method to stay active. It uses a task scheduler to restart its background services on a regular basis, and on older Android versions, it launches a virtual screen to prevent the system from shutting down its components. Even if one method fails, the malware retries before switching to a more direct fallback approach.

Users should regularly review unfamiliar apps on their devices and remove anything suspicious or unrecognized. Keeping the device’s operating system updated is also critical, as newer Android versions increasingly block the kind of background behavior MagicAd depends on.

A capable mobile security tool that watches for such activity can help detect and remove infections before they cause lasting disruption.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.