Samsung's Galaxy Store distributed more than 50 apps secretly laced with a hidden Android trojan called MagicAd, according to security firm Dr. Web. The infected apps, which were primarily games and utility programs, have since been removed from the store. But if you downloaded one of the infected apps before it was removed, the malware may still be running on your phone right now.
Deleting the app doesn't stop it. The malware plants persistent background services that keep running after the host app is gone, and it hides its own icon from the app drawer so you'd have no obvious way to spot it. The only signs something is wrong are the symptoms: ads appearing on your screen when no apps are open, unexplained battery drain, and data usage you can't account for.
How MagicAd got in and stayed hidden
According to Dr. Web, the malware was engineered to avoid early detection. Before activating, it checked whether it was being analyzed in a test environment. If everything looked like a real device with a real user, it proceeded. It hid its core code inside encrypted files within each app, then decrypted and ran that code directly in device memory, leaving fewer obvious traces for security software to catch.
The developers behind MagicAd also planned for their apps getting pulled. Each infected app appeared in the Galaxy Store for roughly a month before disappearing, then a new infected version replaced it. That rotation kept the malware circulating while minimizing how long any single app was exposed to scrutiny.
The motive was money, not data theft. MagicAd generated revenue through fraudulent ad impressions. Your phone was silently serving ads in the background, with the proceeds going to whoever ran the operation.
How to check if you're affected
Dr. Web has not published a list of specific app names, and the deliberate rotation strategy is why: the infected apps cycled in and out of the Galaxy Store on a roughly monthly schedule, so any list would be outdated before most readers could act on it. If you installed a game or utility app from Samsung Galaxy Store in the past several months and started noticing pop-up ads with no obvious source, faster battery drain, or data spikes you can't explain, the malware may be present on your device.
Run a full scan with one of our top-rated Android security apps. Bitdefender Mobile Security, McAfee Security, and Norton 360 Deluxe all reliably detect active malware, including persistent background threats like MagicAd. If you'd rather not pay, Avira Antivirus Security is a solid free option. If the symptoms persist, a factory reset is the most thorough way to clear a deeply embedded trojan.
Before resetting your phone, back up your important files, including photos, videos, text messages, and documents. Consult our guide to backing up your Android phone to ensure you have everything you want to keep. Do not include app settings or include the whole system. If you do, you'll just be reinstalling the malware.
Samsung Galaxy Store has a smaller catalog than Google Play and is often positioned as a curated alternative, but no official store screens out every threat. Checking ratings and download counts before installing anything, even on Samsung's store, is always worth doing.
[Image credit: Suzanne Kantra/Techlicious]
