Samsung’s Galaxy Store recently faced scrutiny after a security report from Dr. Web revealed that over 50 applications were unknowingly distributing a hidden Android trojan known as MagicAd. These infected apps, primarily comprising games and utility tools, have since been removed from the store. However, users who downloaded these apps prior to their removal may still find the malware lurking on their devices.
Simply deleting the infected app does not eliminate the threat. MagicAd is designed to establish persistent background services that continue to operate even after the host application has been uninstalled. It cleverly conceals its icon from the app drawer, making it difficult for users to detect its presence. Signs of infection may manifest as unsolicited advertisements appearing on the screen without any active applications, unexplained battery drain, and data usage spikes that cannot be accounted for.
How MagicAd got in and stayed hidden
Dr. Web’s analysis indicates that the malware was meticulously crafted to evade early detection. Before activating, MagicAd would assess its environment to determine if it was being scrutinized in a testing setting. If it identified itself as a legitimate device with a genuine user, it would proceed to execute its malicious functions. The core code of the malware was cleverly concealed within encrypted files in each app, which it would decrypt and run directly in the device’s memory, leaving minimal traces for security software to identify.
The developers behind MagicAd anticipated the possibility of their applications being removed from the Galaxy Store. Each infected app typically remained available for about a month before being taken down, only to be replaced by a new version of the same malware. This strategic rotation allowed the malware to persist while reducing the exposure time of any single app to scrutiny.
Interestingly, the motive behind MagicAd was not data theft but rather financial gain. The malware generated revenue through fraudulent ad impressions, effectively turning users’ devices into silent ad servers, with the profits funneled to the orchestrators of the operation.
How to check if you’re affected
Dr. Web has refrained from publishing a specific list of the infected applications, largely due to the rotation strategy that kept the malware circulating. If you have installed any game or utility app from the Samsung Galaxy Store in recent months and have begun to notice unexpected pop-up ads, increased battery drain, or unexplained data usage, your device may be compromised.
To assess your device’s security, it is advisable to run a comprehensive scan using one of the top-rated Android security applications. Options such as Bitdefender Mobile Security, McAfee Security, and Norton 360 Deluxe are effective at detecting active malware, including persistent threats like MagicAd. For those seeking a free alternative, Avira Antivirus Security is a reliable choice. Should symptoms persist, performing a factory reset is the most effective method to eradicate a deeply embedded trojan.
Before proceeding with a factory reset, it is crucial to back up important files, including photos, videos, text messages, and documents. Consult a guide on backing up your Android phone to ensure that you retain all essential data. However, be cautious not to include app settings or the entire system in the backup, as this could inadvertently lead to the reinstallation of the malware.
While the Samsung Galaxy Store is often regarded as a curated alternative to Google Play, it is important to remember that no official app store can guarantee the exclusion of all threats. Always take the time to check ratings and download counts before installing any application, even from Samsung’s platform.
[Image credit: Suzanne Kantra/Techlicious]
