Skip to content


TERRACOTTA is an ad fraud botnet that has been capable of generating over 2 billion fraudulent requests per week.1

Item Value
ID S0545
Associated Names
Version 1.0
Created 18 December 2020
Last Modified 28 December 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
mobile T1407 Download New Code at Runtime TERRACOTTA can download additional modules at runtime via JavaScript eval statements.1
mobile T1624 Event Triggered Execution -
mobile T1624.001 Broadcast Receivers TERRACOTTA has registered several broadcast receivers.1
mobile T1541 Foreground Persistence TERRACOTTA has utilized foreground services.1
mobile T1643 Generate Traffic from Victim TERRACOTTA has generated non-human advertising impressions.1
mobile T1417 Input Capture -
mobile T1417.002 GUI Input Capture TERRACOTTA has displayed a form to collect user data after installation.1
mobile T1516 Input Injection TERRACOTTA can inject clicks to launch applications, share posts on social media, and interact with WebViews to perform fraudulent actions.1
mobile T1575 Native API TERRACOTTA has included native modules.1
mobile T1406 Obfuscated Files or Information TERRACOTTA has stored encoded strings.1
mobile T1603 Scheduled Task/Job TERRACOTTA has used timer events in React Native to initiate the foreground service.1
mobile T1582 SMS Control TERRACOTTA can send SMS messages.1
mobile T1418 Software Discovery TERRACOTTA can obtain a list of installed apps.1
mobile T1422 System Network Configuration Discovery TERRACOTTA has collected the device’s phone number and can check if the active network connection is metered.1
mobile T1633 Virtualization/Sandbox Evasion -
mobile T1633.001 System Checks TERRACOTTA checks whether its call stack has been modified, an indication that it is running in an analysis environment, and if so, does not decrypt its obfuscated strings1.
mobile T1481 Web Service -
mobile T1481.002 Bidirectional Communication TERRACOTTA has used Firebase for C2 communication.1