Skip to content

S0525 Android/AdDisplay.Ashas

Android/AdDisplay.Ashas is a variant of adware that has been distributed through multiple apps in the Google Play Store. 1

Item Value
ID S0525
Associated Names
Version 1.0
Created 29 October 2020
Last Modified 29 October 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
mobile T1418 Application Discovery Android/AdDisplay.Ashas has checked to see how many apps are installed, and specifically if Facebook or FB Messenger are installed.1
mobile T1402 Broadcast Receivers Android/AdDisplay.Ashas has registered to receive the BOOT_COMPLETED broadcast intent to activate on device startup.1
mobile T1475 Deliver Malicious App via Authorized App Store Android/AdDisplay.Ashas has been identified in 42 apps in the Google Play Store.1
mobile T1523 Evade Analysis Environment Android/AdDisplay.Ashas can check that the device IP is not in the range of known Google IP addresses before triggering the payload and can delay payload deployment to avoid detection during testing and avoid association with unwanted ads.1
mobile T1472 Generate Fraudulent Advertising Revenue Android/AdDisplay.Ashas can generate revenue by automatically displaying ads.1
mobile T1444 Masquerade as Legitimate Application Android/AdDisplay.Ashas has mimicked Facebook and Google icons on the “Recent apps” screen to avoid discovery and uses the package name to avoid detection.1
mobile T1406 Obfuscated Files or Information Android/AdDisplay.Ashas has hidden the C2 server address using base-64 encoding. 1
mobile T1437 Standard Application Layer Protocol Android/AdDisplay.Ashas has communicated with the C2 server using HTTP.1
mobile T1508 Suppress Application Icon Android/AdDisplay.Ashas can hide its icon and create a shortcut based on the C2 server response.1
mobile T1426 System Information Discovery Android/AdDisplay.Ashas can collect information about the device including device type, OS version, language, free storage space, battery status, device root, and if developer mode is enabled.1


Back to top