A newly discovered Android trojan called MagicAd has been found flooding infected devices with ads, cleverly slipping past the built-in restrictions of the Android operating system.
What makes this threat stand out is not just what it does, but how it does it. It uses multiple techniques to keep showing ads in the background, even after the infected app has been completely closed by the user.
The malware was found hiding inside more than 50 games and apps listed on GetApps, the official app store for Xiaomi devices. Each infected app would appear in the store for a short time, usually around a month, then quietly vanish and get replaced by a new one.
This rotation strategy appeared to be a deliberate move to avoid early detection, while keeping the threat active on users’ devices long after the app was removed.
Dr.Web said in a report shared with Cyber Security News (CSN) that MagicAd first appeared in 2025 and was also found in the Samsung Galaxy Store around that same time.
Once an infected app is installed, it continues its malicious activity even if the original upload is pulled from the store. The developers behind these apps have since stopped distributing new infected uploads, but devices already compromised remain at risk.
Before jumping into action, the trojan quietly checks whether it is being watched or analyzed. It looks for signs of virtual machines, checks whether the install came through a real user, and verifies the device’s network address against an internal blacklist.
If everything looks normal, it hides its own icon from the app menu and sets up silent background services that keep it running at all times.
The malware’s reach is not limited to Xiaomi devices. Variants were designed to target Vivo smartphones and Amazon Fire TV devices as well, making it a broader threat than it might initially appear.
New MagicAd Android Malware
The core trick MagicAd uses is launching ads without ever asking for the permission that normally allows an app to place windows over other apps.
Instead, it loads advertising banners as what is called a Translucent Activity, letting them appear on screen without triggering the usual permission checks.
On Xiaomi devices, the trojan sends crafted messages called intents to built-in system apps like Mi Browser and Miui SystemUI. These are trusted programs that can receive instructions even when not open, so MagicAd uses them as a relay to push ads onto the screen.
On Vivo devices, a similar approach uses Android Binder, a lower-level system channel, targeting iManager, Phonebook, Vivo Browser, and Baidu IME Customized to achieve the same result.
The most inventive method works across nearly all Android devices regardless of manufacturer. MagicAd decrypts a hidden audio file from its own code, launches the system media player at zero volume, and links it to Android’s global media controls.
It then simulates a button press using a background command, which hands control back to the malware so it can silently launch the ad. The user sees an ad appear with no obvious reason why.
How It Persists and What Users Can Do
MagicAd does not rely on a single method to stay active. It uses a task scheduler to restart its background services on a regular basis, and on older Android versions, it launches a virtual screen to prevent the system from shutting down its components. Even if one method fails, the malware retries before switching to a more direct fallback approach.
Users should regularly review unfamiliar apps on their devices and remove anything suspicious or unrecognized. Keeping the device’s operating system updated is also critical, as newer Android versions increasingly block the kind of background behavior MagicAd depends on.
A capable mobile security tool that watches for such activity can help detect and remove infections before they cause lasting disruption.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| Malware Name | Android.MagicAd.1 | Primary trojan variant distributing background ads |
| Malware Name | Android.MagicAd.1.origin | Dex component module used to relay and launch advertisements |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
