Malware

MagicAd

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

MITRE ATT&CK

Techniques & procedures

5 distinct techniques documented for this family, organized by ATT&CK tactic.

Execution

1 technique

T1559Inter-Process CommunicationEvidence1

“Android.MagicAd.1 launches these programs via Android Binder by sending it regular intents via the Parcel data container.”

Privilege Escalation

2 techniques

T1068Exploitation for Privilege EscalationEvidence1

For instance, the software leverages the native Android Binder architecture to bypass standard application sandbox limits. By sending targeted commands, the trojan manipulates pre-installed system programs on the device.

T1548Abuse Elevation Control MechanismEvidence1

In addition to targeting specific brand configurations, the creators developed a universal method to bypass Android platform rules. This universal approach cleverly abuses the default system media player to gain execution rights.

Stealth

2 techniques

T1036MasqueradingEvidence1

Moreover, the malware hides inside seemingly harmless applications to avoid detection. Furthermore, the malware hides inside popular apps to deceive users.

T1497.003Time Based ChecksEvidence1

Subsequently, the malware issues automated background commands to simulate physical user inputs. By mimicking a record button press, it activates the system media receiver framework.

Discovery

1 technique

T1497.003Time Based ChecksEvidence1

Subsequently, the malware issues automated background commands to simulate physical user inputs. By mimicking a record button press, it activates the system media receiver framework.

ACTIVITY FEED

Recent activity

1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

1 SOURCESView more in app

security online infoNews

Jun 9, 2026

MagicAd Android Trojan Bypasses Security Limits

Android malware concealed in more than 50 games and utility apps, distributed via Xiaomi's GetApps store. It abuses Android Binder IPC and system components, including the default media player and broadcast receivers, to bypass sandbox restrictions and silently launch intrusive full-screen advertisements in the background.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping5

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.