The Attack Method
Security researchers at Dr.Web have identified a new Android trojan called MagicAd that forces unwanted advertisements onto infected devices. The malware operates by loading ad banners as translucent activity windows, which allows it to circumvent Android’s standard permission system for overlay windows. This technique enables the ads to display on screen without triggering the normal user consent prompts that typically govern such behavior.
Once installed, the trojan performs a series of checks to avoid detection. It looks for signs of virtual machine environments, verifies that the installation came from a real user, and cross-references the device’s network address against an internal blacklist. If the environment appears safe, the malware hides its icon from the app menu and establishes background services that keep it active even after the user closes the original application.
Distribution and Scope
MagicAd was found hidden inside more than 50 games and applications available through GetApps, the official app store for Xiaomi devices. Each infected app remained in the store for about a month before being replaced with a new one, a rotation strategy designed to evade discovery. The threat also appeared earlier in the Samsung Galaxy Store around 2025. While the developers have stopped distributing new infected uploads, devices already compromised remain vulnerable.
The malware’s reach extends beyond Xiaomi devices. Variants were created to target Vivo smartphones and Amazon Fire TV devices, broadening the potential attack surface. On Xiaomi devices specifically, the trojan sends crafted intents to trusted system applications such as Mi Browser and Miui SystemUI, using these legitimate programs as relays to display advertisements without raising suspicion.
Source: Cyber Security News
