Over 50 Android Apps Infected with MagicAd Trojan Found Abusing System Tricks to Force Persistent Ads

More than 50 Android apps available on official app stores have been found distributing a dangerous adware trojan known as Android.MagicAd.1, which is capable of forcing persistent advertisements even after infected apps are closed.

Security researchers at Doctor Web report that the malware abuses system-level mechanisms to bypass Android’s built-in protections and continuously display ads in the background. The threat has been identified as highly engineered and more aggressive than typical adware, turning advertising fraud into a persistent system-level intrusion.

Infection Through Official App Stores

Although malware is often associated with third-party sources, Android.MagicAd.1 has been spreading through more than 50 infected games and utility apps published on trusted platforms, including the Samsung Galaxy Store and Xiaomi’s GetApps store.

To avoid detection, attackers frequently rotated infected apps, keeping them available for short periods—often less than a month—before replacing them with new versions. Despite this rotation, once installed, the malware remained active on user devices.

How the Malware Operates

The infection begins inside hidden, encrypted components embedded in the app’s native code. When a user launches an infected application, these components are decrypted and extract a core payload identified as Android.MagicAd.1.origin.

Before activating its main functions, the malware performs environment checks to detect virtual machines or known security analysis environments. If it determines the device is a real user system, it proceeds to hide its app icon and schedule background processes that keep it running continuously.

Bypassing Android Security Controls

Modern Android systems normally prevent apps from launching activities in the background or displaying overlays without explicit permissions. However, Android.MagicAd.1 bypasses these restrictions by abusing trusted system applications and manufacturer-specific services.

On Xiaomi and Amazon devices, the malware uses delayed system commands known as “pending intents” and routes them through legitimate system apps such as Mi Browser, MiUI SystemUI, or Amazon Fire TV launcher. This allows it to trigger hidden processes and display transparent ad overlays on top of active screens.

On Vivo devices, the trojan exploits the Android Binder communication system, using trusted apps like iManager, Phonebook, or Vivo Browser to activate background ad behavior.

For other Android devices, it uses a fallback method: it silently plays an audio file, opens the system media player at zero volume, and simulates a hardware interaction. This tricks the operating system into granting priority execution, allowing the malware to push ads even when the user is not interacting with the infected app.

Growing Concern

Researchers warn that this type of malware represents a shift toward more sophisticated ad fraud techniques that exploit legitimate system features rather than relying on simple background services. The presence of Android.MagicAd.1 in official app stores highlights ongoing challenges in app store security and the evolving nature of mobile threats.