SimBad was a strain of adware on the Google Play Store, distributed through the RXDroider Software Development Kit. The name "SimBad" was derived from the fact that most of the infected applications were simulator games. The adware was controlled using an instance of the open source framework Parse Server.[1]

ID: S0419
Platforms: Android
Version: 1.0
Created: 21 November 2019
Last Modified: 27 January 2020

Techniques Used

Domain ID Name Use
Mobile T1402 Broadcast Receivers

SimBad registers for the BOOT_COMPLETED and USER_PRESENT broadcast intents, which allows the software to perform actions after the device is booted and when the user is using the device, respectively.[1]

Mobile T1475 Deliver Malicious App via Authorized App Store

SimBad was distributed via the Google Play Store.[1]

Mobile T1476 Deliver Malicious App via Other Means

SimBad can install attacker-specified applications.[1]

Mobile T1472 Generate Fraudulent Advertising Revenue

SimBad generates fraudulent advertising revenue by displaying ads in the background and by opening the browser and displaying ads.[1]

Mobile T1444 Masquerade as Legitimate Application

SimBad was embedded into legitimate applications.[1]

Mobile T1508 Suppress Application Icon

SimBad hides its icon from the application launcher.[1]