Skip to content

S0419 SimBad

SimBad was a strain of adware on the Google Play Store, distributed through the RXDroider Software Development Kit. The name “SimBad” was derived from the fact that most of the infected applications were simulator games. The adware was controlled using an instance of the open source framework Parse Server.1

Item Value
ID S0419
Associated Names
Version 1.0
Created 21 November 2019
Last Modified 27 January 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
mobile T1624 Event Triggered Execution -
mobile T1624.001 Broadcast Receivers SimBad registers for the BOOT_COMPLETED and USER_PRESENT broadcast intents, which allows the software to perform actions after the device is booted and when the user is using the device, respectively.1
mobile T1643 Generate Traffic from Victim SimBad generates fraudulent advertising revenue by displaying ads in the background and by opening the browser and displaying ads.1
mobile T1628 Hide Artifacts -
mobile T1628.001 Suppress Application Icon SimBad hides its icon from the application launcher.1