When Fun Turns Toxic: A First Look at Aggressive Advertising in Mini-games

Mini-games have emerged as a dominant paradigm within super-app ecosystems, enabling lightweight services like casual games to reach millions of users instantly. While official advertisement interfaces simplify monetization, the ease of integration and insufficient oversight have led to aggressive and potentially deceptive advertising practices, severely degrading the user experience. Aggressive advertising, though not malware, still subverts platform security boundaries by abusing legitimate APIs to bypass auditing, manipulate user interaction, and undermine platform trust, constituting a systemic security risk rather than mere policy violation. In this work, we conduct the first systematic security analysis of aggressive advertising in mini-games. We analyze platform policies and developer capabilities across nine minigame platforms, and characterize aggressive advertising behaviors. We further design a scalable detection framework, MAAD, and perform a large-scale measurement across three major platforms, i.e., WeChat, Facebook Instant Games, and Quickgame, revealing that 49.95% of mini-games exhibit aggressive advertising, including cases in highly popular titles with over 100k user reviews. Our analysis further uncovers their disruptive behavioral patterns, such as game-specific triggers, excessive pop-up frequency, and misleading strategies, as well as adversarial bypass techniques. These findings uncover that aggressive advertising constitutes a widespread form of platform abuse enabled by structural blind spots in current enforcement mechanisms. We provide actionable implications for strengthening platform governance, detection, and long-term ecosystem resilience. Repeated pop-ups every +15s ① An ad appears. ③ Ad reappears after 15s.