S0419 SimBad
SimBad was a strain of adware on the Google Play Store, distributed through the RXDroider Software Development Kit. The name “SimBad” was derived from the fact that most of the infected applications were simulator games. The adware was controlled using an instance of the open source framework Parse Server.1
| Item | Value |
|---|---|
| ID | S0419 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 21 November 2019 |
| Last Modified | 27 January 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| mobile | T1402 | Broadcast Receivers | SimBad registers for the BOOT_COMPLETED and USER_PRESENT broadcast intents, which allows the software to perform actions after the device is booted and when the user is using the device, respectively.1 |
| mobile | T1475 | Deliver Malicious App via Authorized App Store | SimBad was distributed via the Google Play Store.1 |
| mobile | T1476 | Deliver Malicious App via Other Means | SimBad can install attacker-specified applications.1 |
| mobile | T1472 | Generate Fraudulent Advertising Revenue | SimBad generates fraudulent advertising revenue by displaying ads in the background and by opening the browser and displaying ads.1 |
| mobile | T1444 | Masquerade as Legitimate Application | SimBad was embedded into legitimate applications.1 |
| mobile | T1508 | Suppress Application Icon | SimBad hides its icon from the application launcher.1 |