S0419: SimBad
SimBad was a strain of adware on the Google Play Store, distributed through the RXDroider Software Development Kit. The name "SimBad" was derived from the fact that most of the infected applications were simulator games. The adware was controlled using an instance of the open source framework Parse Server.[1]
Analyst context for executives and security teams
SimBad matters because it shows how unwanted or malicious behavior can enter an Android environment through apps that appear legitimate, in this case adware distributed through the RXDroider SDK and seen in simulator games on Google Play. For security leaders, the practical issue is not only the adware label; it is the combination of mobile persistence, hidden presence, deceptive naming, and victim-generated traffic that can undermine user trust, mobile fleet hygiene, and incident triage.
Executive priority
Prioritize SimBad as a mobile supply-chain and endpoint governance scenario: can the organization identify risky Android apps, prove what app telemetry is collected, and remove or restrict apps that hide from users or generate unexpected network traffic? This is relevant to mobile security policy, managed detection expectations, incident response readiness, and compliance evidence for mobile device oversight. Because ATT&CK provides no official detection text for this object, leaders should ask whether coverage is based on validated telemetry rather than assumed app-store trust.
Technical view
For SOC, detection engineering, and IR teams, validate Android visibility around the related behaviors: Broadcast Receivers for event-triggered execution, Suppress Application Icon for hiding from the launcher, Generate Traffic from Victim for unexpected outbound web or SMS activity, and Match Legitimate Name or Location for misleading app identity. Review whether mobile security tooling can surface installed packages, SDK indicators, receiver registrations, launcher visibility, package names/icons, permissions, and network destinations. Triage should account for the supplied platform scope: Android only.
Likely telemetry
- Android installed application/package inventory
- Application manifest and broadcast receiver registration data
- Launcher icon visibility or app hiding indicators
- Application permissions, especially those enabling network activity and, where present, SMS behavior
- Mobile network/DNS/web traffic from devices or apps
Detection direction
- Validate that Android app inventory includes package names, app names, icons, source/install context, and SDK-related indicators where available.
- Look for apps that remain installed while suppressing launcher visibility, especially when paired with suspicious outbound traffic.
- Correlate event-triggered execution mechanisms such as broadcast receivers with unexpected background activity.
- Tune for false positives: legitimate apps can use broadcast receivers and generate network traffic, so prioritize combinations of hidden presence, deceptive naming, unusual traffic, and policy violations.
- Because no official ATT&CK detection guidance is provided, document local data sources and tested detection logic rather than relying on the software name alone.
Mitigation priorities
- Maintain enforceable Android app governance through approved app lists, managed app stores, or mobile device management controls where applicable.
- Require visibility into installed applications and remove or restrict apps that violate enterprise policy or cannot be justified by business need.
- Use mobile security controls that can inspect application metadata, permissions, hidden icons, and suspicious network behavior.
- Educate users and help desks to escalate reports of apps that disappear from the launcher, behave like adware, or are hard to uninstall.
- Preserve mobile device and app telemetry during response so teams can support compliance, root-cause analysis, and fleet-wide scoping.
Analyst notes and limits
The supplied ATT&CK object identifies SimBad as Android adware distributed through the RXDroider SDK and controlled using Parse Server, with relationships to mobile techniques for broadcast receivers, suppressing the app icon, generating victim traffic, and matching legitimate names or locations. The most useful defensive takeaway is to validate mobile fleet telemetry and app governance against those behaviors, not to assume that app-store origin or game branding reduces risk.
ATT&CK provides no official detection section, no tactics for this object in the supplied fields, and only one external research reference. This take does not assert current activity, attribution, impact, or guaranteed detectability. Local device management, mobile security tooling, and network telemetry are required to determine actual exposure and coverage.
SimBad
SimBad was a strain of adware on the Google Play Store, distributed through the RXDroider Software Development Kit. The name "SimBad" was derived from the fact that most of the infected applications were simulator games. The adware was controlled using an instance of the open source framework Parse Server.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1624.001 | Broadcast Receivers Sub-technique | SimBad registers for the `BOOT_COMPLETED` and `USER_PRESENT` broadcast intents, which allows the software to perform actions after the device is booted and when the user is using the device, respectively.CitationCheckPoint SimBad 2019 |
| Mobile | T1643 | Generate Traffic from Victim | SimBad generates fraudulent advertising revenue by displaying ads in the background and by opening the browser and displaying ads.CitationCheckPoint SimBad 2019 |
| Mobile | T1655.001 | Match Legitimate Name or Location Sub-technique | SimBad was embedded into legitimate applications.CitationCheckPoint SimBad 2019 |
| Mobile | T1628.001 | Suppress Application Icon Sub-technique | SimBad hides its icon from the application launcher.CitationCheckPoint SimBad 2019 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | f97469f6fedd… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
CheckPoint SimBad 2019
Elena Root, Andrey Polkovnichenko. (2019, March 13). SimBad: A Rogue Adware Campaign On Google Play. Retrieved November 21, 2019.
Open source URL -
[2]
mitre-attack S0419Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.