TERRACOTTA

TERRACOTTA is an ad fraud botnet that has been capable of generating over 2 billion fraudulent requests per week.[1]

ID: S0545
Type: MALWARE
Platforms: Android
Version: 1.0
Created: 18 December 2020
Last Modified: 28 December 2020

Techniques Used

Domain ID Name Use
Mobile T1407 Download New Code at Runtime

TERRACOTTA can download additional modules at runtime via JavaScript eval statements.[1]

Mobile T1624 .001 Event Triggered Execution: Broadcast Receivers

TERRACOTTA has registered several broadcast receivers.[1]

Mobile T1541 Foreground Persistence

TERRACOTTA has utilized foreground services.[1]

Mobile T1643 Generate Traffic from Victim

TERRACOTTA has generated non-human advertising impressions.[1]

Mobile T1417 .002 Input Capture: GUI Input Capture

TERRACOTTA has displayed a form to collect user data after installation.[1]

Mobile T1516 Input Injection

TERRACOTTA can inject clicks to launch applications, share posts on social media, and interact with WebViews to perform fraudulent actions.[1]

Mobile T1575 Native API

TERRACOTTA has included native modules.[1]

Mobile T1406 Obfuscated Files or Information

TERRACOTTA has stored encoded strings.[1]

Mobile T1603 Scheduled Task/Job

TERRACOTTA has used timer events in React Native to initiate the foreground service.[1]

Mobile T1582 SMS Control

TERRACOTTA can send SMS messages.[1]

Mobile T1418 Software Discovery

TERRACOTTA can obtain a list of installed apps.[1]

Mobile T1422 System Network Configuration Discovery

TERRACOTTA has collected the device’s phone number and can check if the active network connection is metered.[1]

Mobile T1633 .001 Virtualization/Sandbox Evasion: System Checks

TERRACOTTA checks whether its call stack has been modified, an indication that it is running in an analysis environment, and if so, does not decrypt its obfuscated strings[1].

Mobile T1481 .002 Web Service: Bidirectional Communication

TERRACOTTA has used Firebase for C2 communication.[1]

References