Android/AdDisplay.Ashas
Android/AdDisplay.Ashas is a variant of adware that has been distributed through multiple apps in the Google Play Store. [1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Mobile | T1437 | .001 | Application Layer Protocol: Web Protocols |
Android/AdDisplay.Ashas has communicated with the C2 server using HTTP.[1] |
| Mobile | T1624 | .001 | Event Triggered Execution: Broadcast Receivers |
Android/AdDisplay.Ashas has registered to receive the |
| Mobile | T1643 | Generate Traffic from Victim |
Android/AdDisplay.Ashas can generate revenue by automatically displaying ads.[1] |
|
| Mobile | T1628 | .001 | Hide Artifacts: Suppress Application Icon |
Android/AdDisplay.Ashas can hide its icon and create a shortcut based on the C2 server response.[1] |
| Mobile | T1655 | .001 | Masquerading: Match Legitimate Name or Location |
Android/AdDisplay.Ashas has mimicked Facebook and Google icons on the "Recent apps" screen to avoid discovery and uses the |
| Mobile | T1406 | Obfuscated Files or Information |
Android/AdDisplay.Ashas has hidden the C2 server address using base-64 encoding. [1] |
|
| Mobile | T1418 | Software Discovery |
Android/AdDisplay.Ashas has checked to see how many apps are installed, and specifically if Facebook or FB Messenger are installed.[1] |
|
| Mobile | T1426 | System Information Discovery |
Android/AdDisplay.Ashas can collect information about the device including device type, OS version, language, free storage space, battery status, device root, and if developer mode is enabled.[1] |
|
| Mobile | T1633 | .001 | Virtualization/Sandbox Evasion: System Checks |
Android/AdDisplay.Ashas can check that the device IP is not in the range of known Google IP addresses before triggering the payload and can delay payload deployment to avoid detection during testing and avoid association with unwanted ads.[1] |