TERRACOTTA is an ad fraud botnet that has been capable of generating over 2 billion fraudulent requests per week.[1]

ID: S0545
Platforms: Android
Version: 1.0
Created: 18 December 2020
Last Modified: 28 December 2020

Techniques Used

Domain ID Name Use
Mobile T1418 Application Discovery

TERRACOTTA can obtain a list of installed apps.[1]

Mobile T1402 Broadcast Receivers

TERRACOTTA has registered several broadcast receivers.[1]

Mobile T1407 Download New Code at Runtime

TERRACOTTA can download additional modules at runtime via JavaScript eval statements.[1]

Mobile T1523 Evade Analysis Environment

TERRACOTTA checks whether its call stack has been modified, an indication that it is running in an analysis environment, and if so, does not decrypt its obfuscated strings[1].

Mobile T1541 Foreground Persistence

TERRACOTTA has utilized foreground services.[1]

Mobile T1472 Generate Fraudulent Advertising Revenue

TERRACOTTA has generated non-human advertising impressions.[1]

Mobile T1516 Input Injection

TERRACOTTA can inject clicks to launch applications, share posts on social media, and interact with WebViews to perform fraudulent actions.[1]

Mobile T1411 Input Prompt

TERRACOTTA has displayed a form to collect user data after installation.[1]

Mobile T1575 Native Code

TERRACOTTA has included native modules.[1]

Mobile T1406 Obfuscated Files or Information

TERRACOTTA has stored encoded strings.[1]

Mobile T1603 Scheduled Task/Job

TERRACOTTA has used timer events in React Native to initiate the foreground service.[1]

Mobile T1582 SMS Control

TERRACOTTA can send SMS messages.[1]

Mobile T1422 System Network Configuration Discovery

TERRACOTTA has collected the device’s phone number and can check if the active network connection is metered.[1]

Mobile T1481 Web Service

TERRACOTTA has used Firebase for C2 communication.[1]