Generate Traffic from Victim

Adversaries may generate outbound traffic from devices. This is typically performed to manipulate external outcomes, such as to achieve carrier billing fraud or to manipulate app store rankings or ratings. Outbound traffic is typically generated as SMS messages or general web traffic, but may take other forms as well.

If done via SMS messages, Android apps must hold the SEND_SMS permission. Additionally, sending an SMS message requires user consent if the recipient is a premium number. Applications cannot send SMS messages on iOS

ID: T1643
Sub-techniques:  No sub-techniques
Tactic Type: Post-Adversary Device Access
Tactic: Impact
Platforms: Android, iOS
Version: 1.0
Created: 06 April 2022
Last Modified: 06 April 2022

Procedure Examples

ID Name Description
S0440 Agent Smith

Agent Smith shows fraudulent ads to generate revenue.[1]

S0525 Android/AdDisplay.Ashas

Android/AdDisplay.Ashas can generate revenue by automatically displaying ads.[2]

S0293 BrainTest

BrainTest provided capabilities that allowed developers to use compromised devices to post positive reviews on their own malicious applications as well as download other malicious applications they had submitted to the Play Store.[3]

S0432 Bread

Bread had many fake reviews and ratings on the Play Store.[4]

S0432 Bread

Bread can perform SMS fraud on older versions of the malware, and toll fraud on newer versions.[4]

S0290 Gooligan

Gooligan can install adware to generate revenue.[5]

S0322 HummingBad

HummingBad can create fraudulent statistics inside the official Google Play Store.[6]

S0322 HummingBad

In July 2016, HummingBad generated more than $300,000 per month in revenue from installing fraudulent apps and displaying malicious advertisements.[6]

S0321 HummingWhale

HummingWhale generates revenue by displaying fraudulent ads and automatically installing apps. When victims try to close the ads, HummingWhale runs in a virtual machine, creating a fake ID that allows the perpetrators to generate revenue.[7]

S0325 Judy

Judy uses infected devices to generate fraudulent clicks on advertisements to generate revenue.[8]

S0303 MazarBOT

MazarBOT can send messages to premium-rate numbers.[9]

S0291 PJApps

PJApps has the capability to send messages to premium SMS messages.[10]

S0326 RedDrop

RedDrop tricks the user into sending SMS messages to premium services and then deletes those messages.[11]

S0419 SimBad

SimBad generates fraudulent advertising revenue by displaying ads in the background and by opening the browser and displaying ads.[12]


TERRACOTTA has generated non-human advertising impressions.[13]

S0424 Triada

Triada can redirect ad banner URLs on websites visited by the user to specific ad URLs.[14][15]

S0494 Zen

Zen can simulate user clicks on ads.[16]


ID Mitigation Description
M1011 User Guidance

Users should be advised that applications generally do not require permission to send SMS messages.


On Android, users can review which applications can use premium SMS features in the "Special access" page within application settings. Application vetting services can detect when applications request the SEND_SMS permission, which should be infrequently used.