ATT&CKcon 6.0 is coming October 14-15 in McLean, VA and live online. To potentially join us on stage, submit to our CFP by July 9th

SimBad

SimBad was a strain of adware on the Google Play Store, distributed through the RXDroider Software Development Kit. The name "SimBad" was derived from the fact that most of the infected applications were simulator games. The adware was controlled using an instance of the open source framework Parse Server.^[1]

ID: S0419

ⓘ

Type: MALWARE

ⓘ

Platforms: Android

Version: 1.0

Created: 21 November 2019

Last Modified: 25 April 2025

Version Permalink

Live Version

Techniques Used

Domain	ID		Name	Use
Mobile	T1624	.001	Event Triggered Execution: Broadcast Receivers	SimBad registers for the `BOOT_COMPLETED` and `USER_PRESENT` broadcast intents, which allows the software to perform actions after the device is booted and when the user is using the device, respectively.^[1]
Mobile	T1643		Generate Traffic from Victim	SimBad generates fraudulent advertising revenue by displaying ads in the background and by opening the browser and displaying ads.^[1]
Mobile	T1628	.001	Hide Artifacts: Suppress Application Icon	SimBad hides its icon from the application launcher.^[1]
Mobile	T1655	.001	Masquerading: Match Legitimate Name or Location	SimBad was embedded into legitimate applications.^[1]

References

Elena Root, Andrey Polkovnichenko. (2019, March 13). SimBad: A Rogue Adware Campaign On Google Play. Retrieved November 21, 2019.

SimBad

Mobile Layer

Techniques Used

References