Android/AdDisplay.Ashas

Android/AdDisplay.Ashas is a variant of adware that has been distributed through multiple apps in the Google Play Store. [1]

ID: S0525
Type: MALWARE
Platforms: Android
Version: 1.0
Created: 29 October 2020
Last Modified: 29 October 2020

Techniques Used

Domain ID Name Use
Mobile T1437 .001 Application Layer Protocol: Web Protocols

Android/AdDisplay.Ashas has communicated with the C2 server using HTTP.[1]

Mobile T1624 .001 Event Triggered Execution: Broadcast Receivers

Android/AdDisplay.Ashas has registered to receive the BOOT_COMPLETED broadcast intent to activate on device startup.[1]

Mobile T1643 Generate Traffic from Victim

Android/AdDisplay.Ashas can generate revenue by automatically displaying ads.[1]

Mobile T1628 .001 Hide Artifacts: Suppress Application Icon

Android/AdDisplay.Ashas can hide its icon and create a shortcut based on the C2 server response.[1]

Mobile T1655 .001 Masquerading: Match Legitimate Name or Location

Android/AdDisplay.Ashas has mimicked Facebook and Google icons on the "Recent apps" screen to avoid discovery and uses the com.google.xxx package name to avoid detection.[1]

Mobile T1406 Obfuscated Files or Information

Android/AdDisplay.Ashas has hidden the C2 server address using base-64 encoding. [1]

Mobile T1418 Software Discovery

Android/AdDisplay.Ashas has checked to see how many apps are installed, and specifically if Facebook or FB Messenger are installed.[1]

Mobile T1426 System Information Discovery

Android/AdDisplay.Ashas can collect information about the device including device type, OS version, language, free storage space, battery status, device root, and if developer mode is enabled.[1]

Mobile T1633 .001 Virtualization/Sandbox Evasion: System Checks

Android/AdDisplay.Ashas can check that the device IP is not in the range of known Google IP addresses before triggering the payload and can delay payload deployment to avoid detection during testing and avoid association with unwanted ads.[1]

References