SHA1 hash:
- 17f77fdea2c6bfaf9919f9e44311df7a058046f8
Description
Android.MagicAd.1 is a trojan app that targets Android devices and is designed to display ads. Malicious actors build this malware into various games and programs (for example, system optimization tools, media players, tools for working with documents, health-monitoring apps, etc.), which they then distribute as harmless software. Initial versions of this trojan emerged roughly in 2025 and have been found in GetApps (Xiaomi Store) and Samsung Store app catalogs. Current versions were detected in the GetApps catalog.
To display ads in the background, Android.MagicAd.1 uses a number of techniques for bypassing security limitations in modern Android OS versions. These techniques are targeted at devices from specific manufacturers.
Operating routine
Control channels
For controlling Android.MagicAd.1, two configuration types are available:
- a basic configuration built into the trojan;
- a configuration received via the SolarEngine SDK.
Basic configuration
The basic configuration contains parameters for displaying ads, as well as settings for the malware itself. It can be updated via Firebase Remote Config.
An example of the basic configuration:
<?xml version='1.0' encoding='utf-8' standalone='yes' ?>
<map>
<long name="CONIFG_IAP_NOTIFICATION_SHOW_TIMES" value="10" />
<long name="CONIFG_DISABLE_ADJUST_DAY" value="8" />
<boolean name="CONIFG_DISABLE_CHARTBOOST" value="false" />
<boolean name="CONIFG_LX_AD" value="true" />
<boolean name="CONIFG_DELAY_DATA_FINDER" value="false" />
<boolean name="CONIFG_OPEN" value="true" />
<boolean name="CONIFG_DISABLE_AD_TWICE" value="false" />
<boolean name="CONIFG_DELAY_SOLAR_EVENT" value="false" />
<long name="CONIFG_ORGANIC_WAIT_AD_MINUTE_AMAZON" value="1500" />
<boolean name="KEY_WAIT_HIDE" value="false" />
<string name="KEY_CHANNEL">Organic</string>
<boolean name="CONIFG_DISABLE_SHOW_MAIN" value="false" />
<string name="SOLAR_ATTRIBUTION_SUCCESS_has_day">20260414</string>
<boolean name="CONIFG_DISABLE_PICASSOTT" value="false" />
<string name="REFERRER_REMOTE_DISABLE_REFERRER_FALSE_has_day">20260414</string>
<string name="CONIFG_IAP_REMIND_LATER_DAY"></string>
<string name="REFERRER_SKIP_INIT_has_day">20260414</string>
<boolean name="CONIFG_CROSS_SET_TIME" value="true" />
<boolean name="CONIFG_DISABLE_OPEN" value="false" />
<boolean name="KEY_HAS_SEND_EXTERNAL_EVENT" value="true" />
<boolean name="CONIFG_TOPON_AUTO" value="true" />
<boolean name="CONIFG_IAP_ENABLE" value="true" />
<string name="CONFIG_ENABLE_HIDDEN_ICON_has_day">20260414</string>
<string name="SOLAR_NOT_FROM_SOLAR_has_day">20260414</string>
<boolean name="CONIFG_DISABLE_ADJUST" value="false" />
<string name="RISK_IP_NOT_has_day">20260414</string>
<long name="CONIFG_ORGANIC_WAIT_MINUTE_AMAZON" value="480" />
<boolean name="KEY_SOLAR_CALLBACK" value="true" />
<boolean name="CONIFG_RETURN_REMOTE_CONFIG" value="true" />
<string name="CONFIG_INIT_LOCAL_ENABLE_has_day">20260414</string>
<boolean name="CONIFG_DISABLE_DELAY_HIDE" value="true" />
<long name="CONIFG_ADSHOW_TIMES_FOR_CONVERSION" value="30" />
<boolean name="CONIFG_ENABLE_SEND_ONCE" value="false" />
<string name="HIDE_DIRECT_has_day">20260414</string>
<int name="KEY_DEVICE_ACTIVE_DAY" value="1" />
<boolean name="CONIFG_DELAY_SOLAR" value="false" />
<long name="CONIFG_SHOW_AD_LOADING_TIME" value="300" />
<long name="KEY_DEVICE_INIT_TIME" value="1776159084547" />
<boolean name="CONIFG_FORCE_HIDE_AMAZON" value="false" />
<boolean name="CONIFG_ONLINE_TIME_EMPTY_PASS" value="false" />
<boolean name="CONIFG_HAS_REMOTE_CONFIG" value="true" />
<long name="CONIFG_SHOW_AD_FINISH_TIME" value="5000" />
<string name="CONFIG_ENTER_has_day">20260414</string>
<long name="CONIFG_DELAY_ENABLE_MINITE" value="30" />
<string name="DEVICE_NOT_ORGANIC_has_day">20260414</string>
<string name="SOLAR_SET_LISTENER_has_day">20260414</string>
<string name="CONFIG_SUCCESS_has_day">20260414</string>
<long name="CONIFG_IAP_AD_INTERVAL" value="20" />
<long name="CONIFG_SHOW_AD_DELAY_TIME" value="300" />
<long name="CONIFG_ALL_INTERVAL_SECOND" value="60" />
<boolean name="CONIFG_SHOW_AD_JUMP" value="false" />
<string name="SOLAR_INIT_has_day">20260414</string>
<string name="CONIFG_AMAZON_ID"></string>
<string name="CONIFG_SOLAR_CHANNEL"></string>
<string name="ACTION_ENTER_SZ_has_day">20260414</string>
<long name="CONIFG_IAP_INTERVAL" value="7200000" />
<string name="REFERRER_LOCAL_DISABLE_REFERRER_FALSE_has_day">20260414</string>
<boolean name="CONIFG_ENABLE_ADJUST_LIMIT" value="false" />
<boolean name="CONIFG_DISABLE_CAN_SHOW_SEND" value="false" />
<string name="CONIFG_DISABLE_HIDE_REGULAR"></string>
<boolean name="CONIFG_FORCE_CLOSE_AD" value="true" />
<string name="CONIFG_REFERRER_REGULAR"></string>
<boolean name="CONIFG_DISABLE_ICON" value="false" />
<boolean name="KEY_HAS_HIDE" value="true" />
<string name="CAN_SHOW_BEFORE_IN_INTERVAL_has_day">20260414</string>
<long name="CONIFG_FIRST_INTERVAL" value="30" />
<boolean name="CONIFG_ENABLE_ORGANIC_CONVERT" value="false" />
<string name="CONIFG_IAP_JSON"></string>
<boolean name="KEY_DEVICE_INITED" value="true" />
<boolean name="CONIFG_LX_AD_ABTEST" value="false" />
<string name="CONIFG_IAP_PACKAGENAME">com.adrremover.ffilemanager</string>
<long name="CONIFG_TIME" value="1776159084664" />
<boolean name="CONIFG_DISABLE_SEND_DAY" value="false" />
<string name="CONIFG_MAX_NETWORK_ID"></string>
<boolean name="CONIFG_ENABLE_ORGANIC_AMAZON_CONVERT" value="false" />
<int name="KEY_AD_SHOW_TIMES" value="5" />
<long name="CONIFG_PERIOD_INTERVAL_SECOND" value="30" />
<boolean name="CONIFG_ENABLE_ENTER_MAIN_YANDEX" value="false" />
<long name="CONIFG_REVENUE_DISCOUNT" value="70" />
<boolean name="CONIFG_GCLID_VALID_CHANNEL" value="false" />
<boolean name="CONIFG_ENABLE_REFERRER_FB" value="true" />
<string name="KEY_SOLAR_JSON">{"account_id":"","ad_type":"","adcreative_id":"","adcreative_name":"","adcreative_type":"","adgroup_id":"","adgroup_name":"","adplan_id":"","adplan_name":"","attribution_categories":"","attribution_event_name":"","attribution_time":"2026-04-02 23:24:49","attribution_touch_type":"","attribution_type":"","callback_id":"","channel_id":"-1","channel_name":"自然量","click_id":"","client_custom_params_1":"","client_custom_params_10":"","client_custom_params_2":"","client_custom_params_3":"","client_custom_params_4":"","client_custom_params_5":"","client_custom_params_6":"","client_custom_params_7":"","client_custom_params_8":"","client_custom_params_9":"","conversion_id":"","custom_params_1":"","custom_params_10":"","custom_params_2":"","custom_params_3":"","custom_params_4":"","custom_params_5":"","custom_params_6":"","custom_params_7":"","custom_params_8":"","custom_params_9":"","impression_id":"","install_time":"2026-04-02 23:24:46","placement_id":"","report_time":"2026-04-02 23:24:48","request_id":"","ry_touchpoint_ts":"","site_id":"","site_name":"","turl_campaign_id":"","turl_campaign_name":"","turl_id":""}</string>
<boolean name="CONIFG_MTG_APP" value="true" />
<string name="STRATEGY_XIAOMI_has_day">20260414</string>
<string name="CONIFG_AD_PLAN_NAME_REGULAR"></string>
<int name="KEY_AD_SHOW_TIMES_1_DAY" value="5" />
<long name="CONIFG_FAIL_TIMES_LIMIT" value="0" />
<boolean name="CONIFG_AUTO_CLICK_MY_OFFER" value="true" />
<boolean name="CONIFG_ENABLE_NOT_SET" value="false" />
<string name="KEY_IP">device_ip</string>
<boolean name="CONIFG_DISABLE_EVENT" value="false" />
<boolean name="CONIFG_ENABLE_REFERRER_DECRYPT" value="true" />
<boolean name="CONIFG_LOCAL_ENABLE" value="true" />
<string name="CAN_SHOW_BEFORE_SCREEN_LOCK_has_day">20260414</string>
<string name="CONFIG_REMOTE_ENABLE_has_day">20260414</string>
<boolean name="CONIFG_DISABLE_AD_ACTIVITY" value="false" />
<string name="DEVICE_CONFIG_ENABLE_has_day">20260414</string>
<boolean name="CONIFG_DISABLE_REFERRER" value="false" />
<long name="CONIFG_ORGANIC_WAIT_MINUTE" value="720" />
<long name="CONIFG_CLICK_INTERVAL_SECOND" value="60" />
<long name="KEY_DEVICE_INIT_TIME_ONLINE" value="1776159085000" />
<boolean name="CONIFG_SHOW_AD_JUMP_ABTEST" value="true" />
<string name="CONIFG_RISK_IP"></string>
<long name="CONIFG_IAP_TOTAL_SHOW_TIMES" value="5" />
<boolean name="CONIFG_ENABLE_GCLID" value="false" />
<boolean name="CONIFG_ENABLE_AD_EVENT" value="false" />
<boolean name="CONIFG_SHOW_AD_DELAY" value="true" />
</map>Depending on their current goals, threat actors can update only necessary parameters instead of the whole configuration at once.
An example of the configuration in which time intervals for displaying ads are set:
{
"entries": {
"CONIFG_ALL_INTERVAL_SECOND": "60",
"CONIFG_CLICK_INTERVAL_SECOND": "60",
"CONIFG_PERIOD_INTERVAL_SECOND": "30",
"FirstInterval": "30"
},
"appName": "com.supermax.clenauppro",
"state": "UPDATE",
"templateVersion": "1"
}SolarEngine SDK configuration
The SolarEngine SDK configuration contains parameters for collecting statistics about displayed ads. An example of such a configuration is shown below:
{
"data": {
"user_data": {
"account_id": "",
"ad_type": "",
"adcreative_id": "",
"adcreative_name": "",
"adcreative_type": "",
"adgroup_id": "",
"adgroup_name": "",
"adplan_id": "",
"adplan_name": "",
"attribution_categories": "",
"attribution_event_name": "",
"attribution_time": "2026-04-02 23:24:49",
"attribution_touch_type": "",
"attribution_type": "",
"callback_id": "",
"channel_id": "-1",
"channel_name": "自然量",
"click_id": "",
"client_custom_params_1": "",
"client_custom_params_10": "",
"client_custom_params_2": "",
"client_custom_params_3": "",
"client_custom_params_4": "",
"client_custom_params_5": "",
"client_custom_params_6": "",
"client_custom_params_7": "",
"client_custom_params_8": "",
"client_custom_params_9": "",
"conversion_id": "",
"custom_params_1": "",
"custom_params_10": "",
"custom_params_2": "",
"custom_params_3": "",
"custom_params_4": "",
"custom_params_5": "",
"custom_params_6": "",
"custom_params_7": "",
"custom_params_8": "",
"custom_params_9": "",
"impression_id": "",
"install_time": "2026-04-02 23:24:46",
"placement_id": "",
"report_time": "2026-04-02 23:24:48",
"request_id": "",
"ry_touchpoint_ts": "",
"site_id": "",
"site_name": "",
"turl_campaign_id": "",
"turl_campaign_name": "",
"turl_id": ""
}
},
"status": 0
}If the parameters adplan_name and channel_id are specified in this configuration, the malware hides its app icon and starts displaying ads.
Anti-analysis defense
When launched, Android.MagicAd.1 first checks the environment for signs that it is being analyzed.
1. It checks the infected device’s IP address using a blacklist hardcoded into the trojan. If the first 3 octets of the network address match one of the lines in this list, the ads will not be displayed. This list can be updated via Firebase Remote Config.
A fragment of the IPs blacklist
2. It checks the device’s model and brand name, comparing them against its blacklist. This list contains standard names used in a number of emulators.
A blacklist for device model and brand names related to emulators
3. It checks the advertising_id identifiers:
ContentResolver contentResolver0 = context0.getContentResolver();
Settings.Secure.getInt(contentResolver0, "limit_ad_tracking");
String s1 = Settings.Secure.getString(contentResolver0, "advertising_id");
A blacklist of IDs
The identifiers blacklist can be updated via Firebase Remote Config.
If the trojan finds a match, it will not display ads.
If there is no match, the malware obtains the updated configuration via Firebase Remote Config and then checks the parameter DISABLE_REFERRER in it. If its value is true, Android.MagicAd.1 conceals its app icon and starts displaying ads. In earlier versions of the trojan, this parameter is initially set in the app’s settings.
If the parameter’s value is not true, the trojan checks whether its installation was organic. For this, it verifies the value of the parameter CONFIG_INSTALL_REFERRER; this value indicates the installation referrer.
When Android.MagicAd.1 receives the configuration via SolarEngine SDK, it does not check the environment and directly starts displaying ads.
Preparing for displaying ads
If an infected device has passed all checks, Android.MagicAd.1 launches persistence services and registers Implicit Broadcast Receivers with Intent filters that listen for the following system events:
- android.intent.action.SCREEN_ON
- android.intent.action.SCREEN_OFF
- android.intent.action.USER_PRESENT
- android.media.VOLUME_CHANGED_ACTION
- android.net.conn.CONNECTIVITY_CHANGE
- android.intent.action.CLOSE_SYSTEM_DIALOGS
- android.intent.action.PACKAGE_ADDED
- android.intent.action.PACKAGE_REMOVED
- android.intent.action.PACKAGE_REPLACED
The trojan’s broadcast receiver monitors these events and launches an intent containing an advertisement when one of them occurs.
Persistence
Android.MagicAd.1 creates a notification channel to maintain activity and keep operating in the background even when the main window of the malware has closed. It launches several services via this channel; these services are also launched as separate processes.
Using JobScheduler scheduler, the trojan creates a task JobService with the parameter setPersisted(), which allows this task to persist even after a system reboot. Every 4 seconds, this task restarts the services responsible for the notification channel’s operation and restart it again if it is missing.
Displaying ads
The main functionality responsible for displaying ads is located in the native libraries. They are encrypted and usually found in the trojan’s resources directory as two specifically crafted files: ka3f0 and la3f0. Each file consists of two library versions which are “glued” together. These libraries target the armeabi-v7a and arm64 architectures.
Files containing pairs of encrypted malicious libraries of the Android.MagicAd.1 trojan
If a native method is called from the first library, Android.MagicAd.1 decrypts the library from the first file ka3f0, using the XOR operation. The library’s native methods act as a shim between Java methods. As a result, the Cross References entangle and the methods’ execution order disappears, which complicates the malware’s analysis.
When the broadcast receiver is triggered, the trojan creates an intent for displaying an advertisement. Using various techniques, the malware tries to launch this intent. The main method for doing so is via the second library from the file la3f0. It decrypts a payload of 5 dex files from its body:
One of the decrypted dex files is Android.MagicAd.4. It initializes Android.MagicAd.1.origin, which is the main component responsible for launching the initial intent containing an ad.
To launch an activity with the ad, Android.MagicAd.1 sends a corresponding intent to the dex file Android.MagicAd.1.origin. Depending on the device model, the trojan dex tries to launch this activity from the background by exploiting third-party apps, using the most suitable method.
If the main technique for launching the intent via the dex file does not work, Android.MagicAd.1 tries to launch it 2 more times. If it fails, the trojan launches the intent either by directly using the method startActivity, or by using the method Pending Intent send() while creating a pending intent.
Using OnBackPressed() Override, Android.MagicAd.1 blocks the app from being closed and conceals the system UI (for example, the buttons and notifications) for the activity in which the advertisement is being displayed.
The trojan launches an intent with the ad as a Translucent Activity, which allows banners to open on top of other launched apps. The target advertisement is loaded via the ThinkUp SDK.
MITRE ATT&CK®
We analyzed Android.MagicAd.1 using the MITRE ATT&CK® framework, a matrix describing the tactics and techniques that cybercriminals use to attack information systems. The following key techniques were identified:
| Stage | Technique |
|---|---|
| Initial Access | Application Versioning (T1661) |
| Execution | Command and Scripting Interpreter (T1623) Unix Shell (T1623.001) Native API (T1575) Scheduled Task/Job (T1603) |
| Persistence | Boot or Logon Initialization Scripts (T1398) Event Triggered Execution (T1624) Broadcast Receivers (T1624.001) Foreground Persistence (T1541) Hijack Execution Flow (T1625) Scheduled Task/Job (T1603) |
| Defense Evasion | Application Versioning (T1661) Foreground Persistence (T1541) Hide Artifacts (T1628) Suppress Application Icon (T1628.001) User Evasion (T1628.002) Native API (T1575) Obfuscated Files or Information (T1406) Virtualization/Sandbox Evasion (T1633) Virtualization/Sandbox Evasion (T1633.001) |
| Discovery | Software Discovery (T1418) System Information Discovery (T1426) System Network Configuration Discovery (T1422) Internet Connection Discovery (T1422.001) |
| Command and Control | Application Layer Protocol (T1437) Web Protocols (T1437.001) Web Service (T1481) Bidirectional Communication (T1481.002) |
| Impact | Generate Traffic from Victim (T1643) |
More details about Android.MagicAd.4
More details about Android.MagicAd.1.origin
Indicators of compromise
News about the trojan
