1. Home
  2. Techniques
  3. Mobile
  4. Generate Fraudulent Advertising Revenue

Generate Fraudulent Advertising Revenue

An adversary could seek to generate fraudulent advertising revenue from mobile devices, for example by triggering automatic clicks of advertising links without user involvement.

ID: T1472
Sub-techniques:  No sub-techniques
Tactic Type: Post-Adversary Device Access
Tactic: Impact
Platforms: Android, iOS
Version: 1.0
Created: 25 October 2017
Last Modified: 03 July 2019
Provided by LAYER 8

Procedure Examples

ID Name Description
S0440 Agent Smith

Agent Smith shows fraudulent ads to generate revenue.[1]
S0525 Android/AdDisplay.Ashas

Android/AdDisplay.Ashas can generate revenue by automatically displaying ads.[2]
S0290 Gooligan

Gooligan can install adware to generate revenue.[3]
S0322 HummingBad

In July 2016, HummingBad generated more than $300,000 per month in revenue from installing fraudulent apps and displaying malicious advertisements.[4]
S0321 HummingWhale

HummingWhale generates revenue by displaying fraudulent ads and automatically installing apps. When victims try to close the ads, HummingWhale runs in a virtual machine, creating a fake ID that allows the perpetrators to generate revenue.[5]
S0325 Judy

Judy uses infected devices to generate fraudulent clicks on advertisements to generate revenue.[6]
S0419 SimBad

SimBad generates fraudulent advertising revenue by displaying ads in the background and by opening the browser and displaying ads.[7]
S0545 TERRACOTTA

TERRACOTTA has generated non-human advertising impressions.[8]
S0424 Triada

Triada can redirect ad banner URLs on websites visited by the user to specific ad URLs.[9][10]

S0494 Zen

Zen can simulate user clicks on ads.[11]

Mitigations

ID Mitigation Description
M1005 Application Vetting

References

  1. A. Hazum, F. He, I. Marom, B. Melnykov, A. Polkovnichenko. (2019, July 10). Agent Smith: A New Species of Mobile Malware. Retrieved May 7, 2020.
  2. L. Stefanko. (2019, October 24). Tracking down the developer of Android adware affecting millions of users. Retrieved October 29, 2020.
  3. Check Point Research Team. (2016, November 30). More Than 1 Million Google Accounts Breached by Gooligan. Retrieved December 12, 2016.
  4. Dan Goodin. (2016, July 7). 10 million Android phones infected by all-powerful auto-rooting apps. Retrieved January 24, 2017.
  5. Dan Goodin. (2017, January 23). Virulent Android malware returns, gets >2 million downloads on Google Play. Retrieved January 24, 2017.
  6. CheckPoint. (2017, May 25). The Judy Malware: Possibly the largest malware campaign found on Google Play. Retrieved September 18, 2018.
  1. Elena Root, Andrey Polkovnichenko. (2019, March 13). SimBad: A Rogue Adware Campaign On Google Play. Retrieved November 21, 2019.
  2. Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020.
  3. Lukasz Siewierski. (2019, June 6). PHA Family Highlights: Triada. Retrieved July 16, 2019.
  4. Kivva, A. (2016, June 6). Everyone sees not what they want to see. Retrieved July 16, 2019.
  5. Siewierski, L. (2019, January 11). PHA Family Highlights: Zen and its cousins . Retrieved July 27, 2020.