Skip to content

S0525 Android/AdDisplay.Ashas

Android/AdDisplay.Ashas is a variant of adware that has been distributed through multiple apps in the Google Play Store. 1

Item Value
ID S0525
Associated Names
Version 1.0
Created 29 October 2020
Last Modified 29 October 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
mobile T1437 Application Layer Protocol -
mobile T1437.001 Web Protocols Android/AdDisplay.Ashas has communicated with the C2 server using HTTP.1
mobile T1624 Event Triggered Execution -
mobile T1624.001 Broadcast Receivers Android/AdDisplay.Ashas has registered to receive the BOOT_COMPLETED broadcast intent to activate on device startup.1
mobile T1643 Generate Traffic from Victim Android/AdDisplay.Ashas can generate revenue by automatically displaying ads.1
mobile T1628 Hide Artifacts -
mobile T1628.001 Suppress Application Icon Android/AdDisplay.Ashas can hide its icon and create a shortcut based on the C2 server response.1
mobile T1406 Obfuscated Files or Information Android/AdDisplay.Ashas has hidden the C2 server address using base-64 encoding. 1
mobile T1418 Software Discovery Android/AdDisplay.Ashas has checked to see how many apps are installed, and specifically if Facebook or FB Messenger are installed.1
mobile T1426 System Information Discovery Android/AdDisplay.Ashas can collect information about the device including device type, OS version, language, free storage space, battery status, device root, and if developer mode is enabled.1
mobile T1633 Virtualization/Sandbox Evasion -
mobile T1633.001 System Checks Android/AdDisplay.Ashas can check that the device IP is not in the range of known Google IP addresses before triggering the payload and can delay payload deployment to avoid detection during testing and avoid association with unwanted ads.1