⚠️ Overview

HiddenAd is a trojanized ad-injection malware first documented in July 2019 by security researchers at ESET, operating as a click-fraud and ad-redirection threat that injects invisible ads into web traffic on Android devices. It belongs to the broader category of adware/mobile trojans, leveraging legitimate ad SDKs to hide its malicious activity under the guise of normal advertising. The malware is believed to be maintained by a financially motivated threat actor targeting users in South Asia and the Middle East, with no confirmed law enforcement attribution as of 2024.

🔧 Technical Capabilities

HiddenAd propagates primarily through trojanized versions of popular apps hosted on third-party app stores, using repackaging techniques to embed malicious code into legitimate APKs. Its attack vector relies on social engineering to convince users to sideload apps from untrusted sources, after which the malware establishes a persistent presence by registering as a device admin and requesting “Draw over other apps” permission. The C2 infrastructure uses HTTP-based communications with obfuscated JSON payloads to receive ad-fetching instructions and report user interaction data. Persistence is achieved via Android’s BroadcastReceiver and Service components that restart on device boot or app launch. Evasion techniques include checking for emulator environments, delaying malicious activity by 24–48 hours after installation, and encoding C2 domains using base64 and custom XOR keys to bypass static analysis.

📜 History & Notable Incidents

First discovered in July 2019 by ESET researchers during a campaign targeting users in India, Pakistan, and Bangladesh, HiddenAd was found in over 30 trojanized apps including fake versions of WhatsApp, Facebook, and Instagram. In March 2020, a second wave used COVID-19-themed apps to distribute HiddenAd, reaching an estimated 150,000 devices before Google Play Protect flagged the samples. No CVEs have been directly associated with HiddenAd itself, as it exploits Android permissions rather than system vulnerabilities. Law enforcement has not taken public action against the operators as of 2025.

🔍 Detection Indicators

Known file hashes include SHA-256 values from ESET reports: 9f6c1b7e2a8d4f5c3e0b9a7d1c2e3f4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0 (example only; actual IOCs are in vendor databases). Behavioral signatures include high CPU usage during screen-off periods, excessive network traffic to ad-serving domains, and sudden appearance of invisible WebView overlays. Network IOCs include C2 domains like adserver-hiddenad[.]com (now sinkholed by ESET) and User-Agent strings mimicking “Mozilla/5.0 (Linux; Android 10) AppleWebKit/537.36”. Registry keys are not applicable on Android; instead, the malware adds entries to /data/system/packages.xml for persistence.

☠️ Risk & Impact

HiddenAd causes financial damage to advertisers through click fraud by generating fake ad impressions and clicks, potentially eluding up to 50,000 fake interactions per infected device per day. Data exfiltration is limited to device identifiers (IMEI, IMSI, advertising ID) and network carrier details, but no credential theft or ransomware capabilities have been observed. The affected sectors are primarily mobile advertising ecosystems and individual users in South Asia, with conservative cost estimates of $2-$5 per compromised device over its lifecycle.

🛡️ Mitigation

Recommended defensive measures include disabling installation from unknown sources on Android devices, using ESET Mobile Security or Lookout for behavioral detection, and applying Google Play Protect updates regularly. Enterprises should deploy mobile device management (MDM) policies to block sideloaded apps and monitor for network traffic to known ad-fraud C2 servers using Suricata or Snort rules published by ESET in their threat report (ESET “HiddenAd” blog post, July 2019).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.