A sophisticated trojan, identified as Android.MagicAd.1, has emerged as a significant threat to Android users, cleverly circumventing the platform’s built-in defenses to inundate devices with relentless background advertisements. Security experts at Doctor Web have uncovered this malware, which manipulates legitimate phone systems to deliver ads even when all application windows are closed, highlighting a troubling evolution in ad-delivering threats from mere annoyances to highly engineered tools designed to exploit safety protocols.
The Infection Chain
Initially detected in 2025, Android.MagicAd.1 has proliferated through over 50 infected games and utility applications. Alarmingly, these malicious apps have not been confined to dubious download sites; they have also infiltrated official app stores, including the Samsung Galaxy Store and Xiaomi’s GetApps catalogue.
To evade early detection by security scanners, the perpetrators have adopted a strategy of rotating their applications, keeping them online for less than a month before introducing new versions. However, once downloaded, the trojan remains active on user devices, creating a persistent threat.
The infection process begins with hidden, encrypted components embedded within native code libraries. When a user opens a compromised application, the malware decrypts these resources to extract a core component known as Android.MagicAd.1.origin.
This trojan also conducts environment checks prior to launching its payload, scanning for virtual machines or blacklisted IP addresses to ensure it is not being monitored by security researchers. If the coast is clear, it stealthily hides its app icon from the home screen and schedules background tasks to maintain its operation indefinitely.
Bypassing Android Restrictions
In their analysis, researchers noted that modern Android operating systems impose strict restrictions on background applications, preventing them from launching themselves or displaying windows over other programs without explicit permissions. Nevertheless, Android.MagicAd.1 cleverly bypasses these barriers by targeting trusted, pre-installed system applications, with its methods varying based on the device manufacturer.
On Xiaomi and Amazon devices, the malware utilizes a delayed system command known as a “pending intent” directed at its internal component, Android.MagicAd.1.origin. This command is routed through standard system apps such as Mi Browser, Miui SystemUI, or the Amazon Fire TV Home Screen launcher to activate itself and overlay transparent ad banners on active screens.
For Vivo devices, the hackers exploit an internal communication system called Android Binder, sending data packets through standard tools like iManager, Phonebook, or Vivo Browser to trigger the background advertisements.
In cases involving other brands, the trojan employs a clever universal fallback. It saves a silent audio file, activates the system media player at zero volume, and simulates a physical button click using a background command. This tactic deceives the operating system into granting the trojan immediate priority to display its ads.
Doctor Web has confirmed that all identified malicious applications have been removed from official stores. While this immediate distribution loop has been disrupted, the campaign underscores the ease with which threat actors can weaponize the very software designed to protect users.
