Android.HiddenAds
Android.HiddenAds is an Android ad-displaying trojan family reported by Dr.Web as one of the most widespread Android threats across 2025 and into Q1 2026. It is commonly distributed as seemingly popular or harmless applications, including apps found on Google Play according to Dr.Web’s 2025 Android threat review. Its core behavior is to display intrusive advertisements, including full-screen video ads. A defining trait of the family is that it attempts to hide after installation by concealing or substituting its icon, making detection and removal more difficult for users. Dr.Web also identified Aegis as a subfamily of Android.HiddenAds. The family was repeatedly cited alongside Android.MobiDash as a leading Android ad-trojan threat, although Dr.Web reported declines in detections during late 2025 and Q1 2026, including a 7.09% decrease in Q1 2026 versus Q4 2025 and an 18.06% decrease in Q4 2025 on protected devices. In Dr.Web’s 2025 Android review, Android.HiddenAds remained the most detected malware family with a 27.42% share. High-confidence indicators from the content are behavioral rather than static: Android apps that hide or replace their launcher icons after installation and then display intrusive ads, including full-screen videos.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Techniques & procedures
2 distinct techniques documented for this family, organized by ATT&CK tactic.
Stealth
2 techniques
Stealth
Members of the Android.HiddenAds family are often distributed as popular and harmless applications... The trojans were concealed in a number of tools for optimizing the operation of Android devices, and were distributed under the guise of messengers, multimedia, and other software.
Recent activity
9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Android trojan family used to display intrusive ads, often disguised as benign apps and sometimes hiding its icon from the user.
Android adware trojan family focused on displaying advertisements; activity decreased in Q1 2026.
Adware trojan family that displays intrusive full-screen ads and attempts to evade user removal by hiding/altering launcher icons and concealing presence; includes the Aegis subfamily with auto-run behavior.
Android adware family that displays intrusive ads; among the most frequently encountered mobile threats in 2025.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.