This is a custom instance of the MITRE ATT&CK Website. The official website can be found at attack.mitre.org.

SOFTWARE

Android/AdDisplay.Ashas

Android/Chuli.A

AndroidOS/MalLocker.B

ANDROIDOS_ANSERVER.A

AutoIt backdoor

Backdoor.Oldrea

Caterpillar WebShell

CSPY Downloader

Desert Scorpion

ECCENTRICBANDWAGON

Exaramel for Linux

Exaramel for Windows

Hacking Team UEFI Rootkit

Imminent Monitor

IronNetInjector

Olympic Destroyer

OSX_OCEANLOTUS.D

P.A.S. Webshell

Pass-The-Hash Toolkit

Pegasus for Android

Pegasus for iOS

RemoteUtilities

ShimRatReporter

Trojan-SMS.AndroidOS.Agent.ao

Trojan-SMS.AndroidOS.FakeInst.a

Trojan-SMS.AndroidOS.OpFake.a

Trojan.Karagany

Windows Credential Editor

Winnti for Linux

Winnti for Windows

X-Agent for Android

XLoader for Android

XLoader for iOS

SOFTWARE

1-9

A-B

Android/AdDisplay.Ashas

Android/Chuli.A

AndroidOS/MalLocker.B

ANDROIDOS_ANSERVER.A

AutoIt backdoor

Backdoor.Oldrea

C-D

Caterpillar WebShell

CSPY Downloader

Desert Scorpion

E-F

ECCENTRICBANDWAGON

Exaramel for Linux

Exaramel for Windows

G-H

Hacking Team UEFI Rootkit

I-J

Imminent Monitor

IronNetInjector

K-L

M-N

O-P

Olympic Destroyer

OSX_OCEANLOTUS.D

P.A.S. Webshell

Pass-The-Hash Toolkit

Pegasus for Android

Pegasus for iOS

Q-R

RemoteUtilities

S-T

ShimRatReporter

Trojan-SMS.AndroidOS.Agent.ao

Trojan-SMS.AndroidOS.FakeInst.a

Trojan-SMS.AndroidOS.OpFake.a

Trojan.Karagany

U-V

W-X

Windows Credential Editor

Winnti for Linux

Winnti for Windows

X-Agent for Android

XLoader for Android

XLoader for iOS

Y-Z

Android/AdDisplay.Ashas

Android/AdDisplay.Ashas is a variant of adware that has been distributed through multiple apps in the Google Play Store. ^[1]

ID: S0525

ⓘ

Type: MALWARE

ⓘ

Platforms: Android

Version: 1.0

Created: 29 October 2020

Last Modified: 29 October 2020

Techniques Used

Domain	ID		Name	Use
Mobile	T1418		Application Discovery	Android/AdDisplay.Ashas has checked to see how many apps are installed, and specifically if Facebook or FB Messenger are installed.^[1]
Mobile	T1402		Broadcast Receivers	Android/AdDisplay.Ashas has registered to receive the `BOOT_COMPLETED` broadcast intent to activate on device startup.^[1]
Mobile	T1475		Deliver Malicious App via Authorized App Store	Android/AdDisplay.Ashas has been identified in 42 apps in the Google Play Store.^[1]
Mobile	T1523		Evade Analysis Environment	Android/AdDisplay.Ashas can check that the device IP is not in the range of known Google IP addresses before triggering the payload and can delay payload deployment to avoid detection during testing and avoid association with unwanted ads.^[1]
Mobile	T1472		Generate Fraudulent Advertising Revenue	Android/AdDisplay.Ashas can generate revenue by automatically displaying ads.^[1]
Mobile	T1444		Masquerade as Legitimate Application	Android/AdDisplay.Ashas has mimicked Facebook and Google icons on the "Recent apps" screen to avoid discovery and uses the `com.google.xxx` package name to avoid detection.^[1]
Mobile	T1406		Obfuscated Files or Information	Android/AdDisplay.Ashas has hidden the C2 server address using base-64 encoding. ^[1]
Mobile	T1437		Standard Application Layer Protocol	Android/AdDisplay.Ashas has communicated with the C2 server using HTTP.^[1]
Mobile	T1508		Suppress Application Icon	Android/AdDisplay.Ashas can hide its icon and create a shortcut based on the C2 server response.^[1]
Mobile	T1426		System Information Discovery	Android/AdDisplay.Ashas can collect information about the device including device type, OS version, language, free storage space, battery status, device root, and if developer mode is enabled.^[1]

References

L. Stefanko. (2019, October 24). Tracking down the developer of Android adware affecting millions of users. Retrieved October 29, 2020.