[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fw3txKR5HsBuM87eJdgXzmAtTWPjsjuxQoBDQPaBPTgM":3},{"article":4,"iocs":38},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":25,"category":26,"article_tags":30},"f0362d7b-b5cf-44f5-83fb-ece25ca38771","Over 50 Android Apps Found Spreading MagicAd Trojan via Official Stores","over-50-android-apps-found-spreading-magicad-trojan-via-official-stores-2a18b5","Over 50 Android apps on official stores spread MagicAd trojan, using system tricks to force background ads even after infected apps are closed.","Over 50 Android applications, including games and utilities, have been found distributing the MagicAd trojan through official app stores like Samsung Galaxy Store and Xiaomi's GetApps. The malware employs sophisticated system tricks, targeting manufacturer-specific vulnerabilities, to display intrusive ads even when apps are closed and icons are hidden. While the malicious apps have been removed, the campaign highlights the evolving tactics of ad-delivering threats.","Over 50 Android apps on official stores spread MagicAd trojan, forcing background ads.","Security Android MalwareOver 50 Android Apps Found Spreading MagicAd Trojan via Official Stores Over 50 Android apps on official stores spread MagicAd trojan, using system tricks to force background ads even after infected apps are closed. byDeeba AhmedJune 15, 20262 minute read A deceptive trojan is outsmarting Android’s built-in defences to bombard users with unstoppable background advertisements. Security analysts at Doctor Web recently found Android.MagicAd.1, a trojan malware that manipulates legitimate phone systems to force-feed ads even when all app windows are closed. This is a frustrating trick, proving that ad-delivering threats are no longer just a minor nuisance but highly engineered tools designed to break safety rules. The Infection Chain Android.MagicAd.1 first appeared in 2025, but researchers say it is now being pushed through more than 50 infected games and utility apps. The malicious apps were not limited to shady download sites either. They were distributed through official app stores, including Samsung Galaxy Store and Xiaomi’s GetApps catalogue. Some games and programs from the GetApps catalogue hiding Android.MagicAd.1 (Credit: Doctor Web) To evade early detection by security scanners, the hackers rotated their apps, keeping them online for less than a month before swapping them with new versions. However, once downloaded, the trojan remained active on user devices. The attack chain begins with hidden, encrypted components inside native code libraries. When a victim opens a compromised app, the malware decrypts these resources to extract a core component called Android.MagicAd.1.origin. This Android malware also performs environment checks before launching its payload. It scans for virtual machines or blacklisted IP addresses to ensure it’s not being monitored by security researchers. If everything is clear, it hides its app icon from the home screen menu and schedules background tasks to keep itself running permanently. Bypassing Android Restrictions Researchers explained in the blog post that modern Android operating systems strictly forbid background apps from launching themselves or displaying windows over other programs without explicit permissions. Android.MagicAd.1, however, can bypass this barrier simply by targeting trusted, pre-installed system applications. The way it does this depends heavily on the phone’s manufacturer. On Xiaomi and Amazon devices, the malware sends a delayed system command called a “pending intent” to its internal component, Android.MagicAd.1.origin. It routes this command through standard system apps like Mi Browser, Miui SystemUI, or the Amazon Fire TV Home Screen launcher to wake itself up and draw transparent ad banners right over active screens. For Vivo devices, the hackers exploit an internal communications system called Android Binder instead, sending data packages through standard tools like iManager, Phonebook, or Vivo Browser to trigger the background ads. On other brands, the trojan program uses a clever, universal fallback. It saves a silent audio file, opens the system media player at zero volume, and simulates a physical button click using a background command. This trick fools the operating system into giving the trojan immediate priority to display its ads. Ads displayed by the trojan (Credit: Doctor Web) Doctor Web confirms that all identified malicious apps have now been removed from official stores. While the immediate distribution loop has been broken, this campaign shows how easily threat actors can weaponize the very software meant to protect us. (Image by iXimus from Pixabay) Deeba Ahmed Deeba is a veteran cybersecurity reporter at Hackread.com with over a decade of experience covering cybercrime, vulnerabilities, and security events. Her expertise and in-depth analysis make her a key contributor to the platform’s trusted coverage. View Posts Cyber AttackCybersecurityDoctor WebGetAppsMagicAdMalwareSamsungTROJANXiaomi Leave a Reply Cancel reply View Comments (0) Related Posts Security Surveillance LA Police’ New Taser Records Footage If Fired The Los Angeles Police Department has ordered some Tasers with built-in cameras that can actually record if the… byWaqas Security Malware Android Malware written in Kotlin found on Play Store stealing data Just another day with just another Android malware hosted on Google Play Store targeting unsuspecting users – But… byWaqas Hacking News Crypto Security Wormhole hack – Hackers steal $320M in one of the largest crypto heists Wormhole has confirmed the hack but claims that the stolen funds have been restored and the vulnerability in… byWaqas Android Apple News iPad iPhone Technology Apple Updated Maps Found to be Life Threatening Apple has been in news with concerns over it’s products since it’s iPhone 5 launch. But, those news… byWaqas","https:\u002F\u002Fhackread.com\u002Fandroid-apps-magicad-trojan-official-stores\u002F","https:\u002F\u002Fhackread.com\u002Fwp-content\u002Fuploads\u002F2026\u002F06\u002Fandroid-apps-magicad-trojan-official-stores.jpg","2026-06-15T10:02:35+00:00","2026-06-15T12:00:11.581094+00:00",7,[18,21,23],{"name":19,"type":20},"Xiaomi","vendor",{"name":22,"type":20},"Samsung",{"name":24,"type":20},"Doctor Web","89f78b1c-3503-45a1-9fc7-e23d2ce1c6d5",{"id":25,"icon":27,"name":28,"slug":29},null,"Malware","malware",[31,33],{"category":32},{"id":25,"icon":27,"name":28,"slug":29},{"category":34},{"id":35,"icon":27,"name":36,"slug":37},"e7b231c8-5f79-4465-8d38-1ef13aea5a14","Threat Intelligence","threat-intelligence",[]]