SimBad was a strain of adware on the Google Play Store, distributed through the RXDroider Software Development Kit. The name "SimBad" was derived from the fact that most of the infected applications were simulator games. The adware was controlled using an instance of the open source framework Parse Server.^[1]

ID: S0419

ⓘ

Type: MALWARE

ⓘ

Platforms: Android

Version: 1.0

Created: 21 November 2019

Last Modified: 27 January 2020

Techniques Used

Domain	ID	Name	Use
Mobile	T1402	Broadcast Receivers	SimBad registers for the `BOOT_COMPLETED` and `USER_PRESENT` broadcast intents, which allows the software to perform actions after the device is booted and when the user is using the device, respectively.^[1]
Mobile	T1475	Deliver Malicious App via Authorized App Store	SimBad was distributed via the Google Play Store.^[1]
Mobile	T1476	Deliver Malicious App via Other Means	SimBad can install attacker-specified applications.^[1]
Mobile	T1472	Generate Fraudulent Advertising Revenue	SimBad generates fraudulent advertising revenue by displaying ads in the background and by opening the browser and displaying ads.^[1]
Mobile	T1444	Masquerade as Legitimate Application	SimBad was embedded into legitimate applications.^[1]
Mobile	T1508	Suppress Application Icon	SimBad hides its icon from the application launcher.^[1]

References

Elena Root, Andrey Polkovnichenko. (2019, March 13). SimBad: A Rogue Adware Campaign On Google Play. Retrieved November 21, 2019.

SimBad

Mobile Layer

Techniques Used

References