Android/AdDisplay.Ashas

Android/AdDisplay.Ashas is a variant of adware that has been distributed through multiple apps in the Google Play Store. [1]

ID: S0525
Type: MALWARE
Platforms: Android
Version: 1.0
Created: 29 October 2020
Last Modified: 29 October 2020

Techniques Used

Domain ID Name Use
Mobile T1418 Application Discovery

Android/AdDisplay.Ashas has checked to see how many apps are installed, and specifically if Facebook or FB Messenger are installed.[1]

Mobile T1402 Broadcast Receivers

Android/AdDisplay.Ashas has registered to receive the BOOT_COMPLETED broadcast intent to activate on device startup.[1]

Mobile T1475 Deliver Malicious App via Authorized App Store

Android/AdDisplay.Ashas has been identified in 42 apps in the Google Play Store.[1]

Mobile T1523 Evade Analysis Environment

Android/AdDisplay.Ashas can check that the device IP is not in the range of known Google IP addresses before triggering the payload and can delay payload deployment to avoid detection during testing and avoid association with unwanted ads.[1]

Mobile T1472 Generate Fraudulent Advertising Revenue

Android/AdDisplay.Ashas can generate revenue by automatically displaying ads.[1]

Mobile T1444 Masquerade as Legitimate Application

Android/AdDisplay.Ashas has mimicked Facebook and Google icons on the "Recent apps" screen to avoid discovery and uses the com.google.xxx package name to avoid detection.[1]

Mobile T1406 Obfuscated Files or Information

Android/AdDisplay.Ashas has hidden the C2 server address using base-64 encoding. [1]

Mobile T1437 Standard Application Layer Protocol

Android/AdDisplay.Ashas has communicated with the C2 server using HTTP.[1]

Mobile T1508 Suppress Application Icon

Android/AdDisplay.Ashas can hide its icon and create a shortcut based on the C2 server response.[1]

Mobile T1426 System Information Discovery

Android/AdDisplay.Ashas can collect information about the device including device type, OS version, language, free storage space, battery status, device root, and if developer mode is enabled.[1]

References