Skip to content

T1643 Generate Traffic from Victim

Adversaries may generate outbound traffic from devices. This is typically performed to manipulate external outcomes, such as to achieve carrier billing fraud or to manipulate app store rankings or ratings. Outbound traffic is typically generated as SMS messages or general web traffic, but may take other forms as well.

If done via SMS messages, Android apps must hold the SEND_SMS permission. Additionally, sending an SMS message requires user consent if the recipient is a premium number. Applications cannot send SMS messages on iOS

Item Value
ID T1643
Sub-techniques
Tactics TA0034
Platforms Android, iOS
Version 1.1
Created 06 April 2022
Last Modified 20 March 2023

Procedure Examples

ID Name Description
S0440 Agent Smith Agent Smith shows fraudulent ads to generate revenue.11
S0525 Android/AdDisplay.Ashas Android/AdDisplay.Ashas can generate revenue by automatically displaying ads.4
S0293 BrainTest BrainTest provided capabilities that allowed developers to use compromised devices to post positive reviews on their own malicious applications as well as download other malicious applications they had submitted to the Play Store.1
S0432 Bread Bread can perform SMS fraud on older versions of the malware, and toll fraud on newer versions.14
S0290 Gooligan Gooligan can install adware to generate revenue.12
S0322 HummingBad HummingBad can create fraudulent statistics inside the official Google Play Store, and has generated revenue from installing fraudulent apps and displaying malicious advertisements.6
S0321 HummingWhale HummingWhale generates revenue by displaying fraudulent ads and automatically installing apps. When victims try to close the ads, HummingWhale runs in a virtual machine, creating a fake ID that allows the perpetrators to generate revenue.15
S0325 Judy Judy uses infected devices to generate fraudulent clicks on advertisements to generate revenue.10
S0303 MazarBOT MazarBOT can send messages to premium-rate numbers.16
S0291 PJApps PJApps has the capability to send messages to premium SMS messages.13
S0326 RedDrop RedDrop tricks the user into sending SMS messages to premium services and then deletes those messages.3
S0419 SimBad SimBad generates fraudulent advertising revenue by displaying ads in the background and by opening the browser and displaying ads.7
S0545 TERRACOTTA TERRACOTTA has generated non-human advertising impressions.2
S0424 Triada Triada can redirect ad banner URLs on websites visited by the user to specific ad URLs.98
S0494 Zen Zen can simulate user clicks on ads.5

Mitigations

ID Mitigation Description
M1011 User Guidance Users should be advised that applications generally do not require permission to send SMS messages.

Detection

ID Data Source Data Component
DS0041 Application Vetting Permissions Requests
DS0042 User Interface System Settings

References

  1. Chris Dehghanpoor. (2016, January 6). Brain Test re-emerges: 13 apps found in Google Play Read more: Brain Test re-emerges: 13 apps found in Google Play. Retrieved December 21, 2016. 

  2. Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020. 

  3. Nell Campbell. (2018, February 27). RedDrop: the blackmailing mobile malware family lurking in app stores. Retrieved September 18, 2018. 

  4. L. Stefanko. (2019, October 24). Tracking down the developer of Android adware affecting millions of users. Retrieved October 29, 2020. 

  5. Siewierski, L. (2019, January 11). PHA Family Highlights: Zen and its cousins . Retrieved July 27, 2020. 

  6. Dan Goodin. (2016, July 7). 10 million Android phones infected by all-powerful auto-rooting apps. Retrieved January 24, 2017. 

  7. Elena Root, Andrey Polkovnichenko. (2019, March 13). SimBad: A Rogue Adware Campaign On Google Play. Retrieved November 21, 2019. 

  8. Kivva, A. (2016, June 6). Everyone sees not what they want to see. Retrieved July 16, 2019. 

  9. Lukasz Siewierski. (2019, June 6). PHA Family Highlights: Triada. Retrieved July 16, 2019. 

  10. CheckPoint. (2017, May 25). The Judy Malware: Possibly the largest malware campaign found on Google Play. Retrieved September 18, 2018. 

  11. A. Hazum, F. He, I. Marom, B. Melnykov, A. Polkovnichenko. (2019, July 10). Agent Smith: A New Species of Mobile Malware. Retrieved May 7, 2020. 

  12. Check Point Research Team. (2016, November 30). More Than 1 Million Google Accounts Breached by Gooligan. Retrieved December 12, 2016. 

  13. Lookout. (2016, May 25). 5 active mobile threats spoofing enterprise apps. Retrieved December 19, 2016. 

  14. A. Guertin, V. Kotov, Android Security & Privacy Team. (2020, January 9). PHA Family Highlights: Bread (and Friends) . Retrieved April 27, 2020. 

  15. Dan Goodin. (2017, January 23). Virulent Android malware returns, gets >2 million downloads on Google Play. Retrieved January 24, 2017. 

  16. Graham Cluley. (2016, February 16). Android users warned of malware attack spreading via SMS. Retrieved December 23, 2016.