S0525 Android/AdDisplay.Ashas
Android/AdDisplay.Ashas is a variant of adware that has been distributed through multiple apps in the Google Play Store. 1
| Item | Value |
|---|---|
| ID | S0525 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 29 October 2020 |
| Last Modified | 29 October 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| mobile | T1437 | Application Layer Protocol | - |
| mobile | T1437.001 | Web Protocols | Android/AdDisplay.Ashas has communicated with the C2 server using HTTP.1 |
| mobile | T1624 | Event Triggered Execution | - |
| mobile | T1624.001 | Broadcast Receivers | Android/AdDisplay.Ashas has registered to receive the BOOT_COMPLETED broadcast intent to activate on device startup.1 |
| mobile | T1643 | Generate Traffic from Victim | Android/AdDisplay.Ashas can generate revenue by automatically displaying ads.1 |
| mobile | T1628 | Hide Artifacts | - |
| mobile | T1628.001 | Suppress Application Icon | Android/AdDisplay.Ashas can hide its icon and create a shortcut based on the C2 server response.1 |
| mobile | T1406 | Obfuscated Files or Information | Android/AdDisplay.Ashas has hidden the C2 server address using base-64 encoding. 1 |
| mobile | T1418 | Software Discovery | Android/AdDisplay.Ashas has checked to see how many apps are installed, and specifically if Facebook or FB Messenger are installed.1 |
| mobile | T1426 | System Information Discovery | Android/AdDisplay.Ashas can collect information about the device including device type, OS version, language, free storage space, battery status, device root, and if developer mode is enabled.1 |
| mobile | T1633 | Virtualization/Sandbox Evasion | - |
| mobile | T1633.001 | System Checks | Android/AdDisplay.Ashas can check that the device IP is not in the range of known Google IP addresses before triggering the payload and can delay payload deployment to avoid detection during testing and avoid association with unwanted ads.1 |