TERRACOTTA
TERRACOTTA is an ad fraud botnet that has been capable of generating over 2 billion fraudulent requests per week.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Mobile | T1418 | Application Discovery |
TERRACOTTA can obtain a list of installed apps.[1] |
|
| Mobile | T1402 | Broadcast Receivers |
TERRACOTTA has registered several broadcast receivers.[1] |
|
| Mobile | T1407 | Download New Code at Runtime |
TERRACOTTA can download additional modules at runtime via JavaScript |
|
| Mobile | T1523 | Evade Analysis Environment |
TERRACOTTA checks whether its call stack has been modified, an indication that it is running in an analysis environment, and if so, does not decrypt its obfuscated strings[1]. |
|
| Mobile | T1541 | Foreground Persistence |
TERRACOTTA has utilized foreground services.[1] |
|
| Mobile | T1472 | Generate Fraudulent Advertising Revenue |
TERRACOTTA has generated non-human advertising impressions.[1] |
|
| Mobile | T1516 | Input Injection |
TERRACOTTA can inject clicks to launch applications, share posts on social media, and interact with WebViews to perform fraudulent actions.[1] |
|
| Mobile | T1411 | Input Prompt |
TERRACOTTA has displayed a form to collect user data after installation.[1] |
|
| Mobile | T1575 | Native Code |
TERRACOTTA has included native modules.[1] |
|
| Mobile | T1406 | Obfuscated Files or Information |
TERRACOTTA has stored encoded strings.[1] |
|
| Mobile | T1603 | Scheduled Task/Job |
TERRACOTTA has used timer events in React Native to initiate the foreground service.[1] |
|
| Mobile | T1582 | SMS Control |
TERRACOTTA can send SMS messages.[1] |
|
| Mobile | T1422 | System Network Configuration Discovery |
TERRACOTTA has collected the device’s phone number and can check if the active network connection is metered.[1] |
|
| Mobile | T1481 | Web Service |
TERRACOTTA has used Firebase for C2 communication.[1] |
|