S0525: Android/AdDisplay.Ashas
Android/AdDisplay.Ashas is a variant of adware that has been distributed through multiple apps in the Google Play Store. [1]
Analyst context for executives and security teams
Android/AdDisplay.Ashas matters because it shows how unwanted or malicious mobile software can reach users through ordinary app distribution channels and then make itself harder to notice or remove. For leaders, the practical issue is not only “adware,” but whether the organization can identify risky Android apps, preserve evidence from mobile devices, and respond when software uses discovery, web traffic, persistence-style Android mechanisms, icon hiding, and name-mimicry behaviors.
Executive priority
Prioritize this as a mobile security governance and readiness issue for Android fleets, especially where personal or managed devices access business data. The ATT&CK record does not provide impact or active exploitation claims, but the listed behaviors create decision points for app-vetting, mobile device management policy, SOC visibility, incident response collection, and audit evidence that mobile controls are more than policy statements.
Technical view
SOC, detection, and IR teams should validate coverage around the related ATT&CK behaviors: obfuscated files or information, software discovery, system information discovery, web protocol communications, Android broadcast receivers, suppressed launcher icons, system checks, generated outbound victim traffic, and matching legitimate names or locations. Because MITRE provides no official detection text for this object and no tactics are specified, teams should map local Android telemetry and mobile security tooling to these behaviors rather than assuming coverage from malware family name alone.
Likely telemetry
- Android installed application inventory, package names, app labels, icons, versions, and install source where available
- Mobile device management or enterprise mobility management compliance and app inventory records
- Android application permission and manifest data, including broadcast receiver registrations where collected
- Network telemetry for mobile device HTTP/HTTPS traffic patterns and destinations, subject to privacy and encryption limits
- Mobile threat defense alerts or sandbox/static analysis results for obfuscation, icon hiding, name mimicry, and environment checks
Detection direction
- Confirm whether tooling can detect apps that hide or suppress launcher icons, mimic legitimate names/icons/package locations, or register broadcast receivers for event-triggered execution.
- Tune app inventory monitoring to flag newly installed or policy-disallowed Android applications, especially apps from consumer app-store channels on devices with business access.
- Validate whether static and dynamic analysis can surface obfuscation, system checks, software discovery, and system information discovery without relying on a single indicator.
- Review outbound mobile web traffic visibility; HTTPS and normal app traffic can obscure command or generated-traffic behaviors, so detections should be behavior- and reputation-informed where policy allows.
- Account for false positives: legitimate apps may use web protocols, collect system information, or register broadcast receivers. Prioritize combinations of behaviors such as icon suppression plus name mimicry plus unusual outbound traffic.
Mitigation priorities
- Maintain enforceable Android app governance: approved app lists, restrictions on unmanaged apps for business access, and periodic inventory review.
- Use mobile device management or equivalent controls to support app removal, compliance checks, and evidence collection when suspicious apps are identified.
- Include mobile app static/dynamic analysis or mobile threat defense in the control plan where Android devices are material to business operations.
- Educate users and support teams that hidden icons or apps mimicking trusted names can complicate self-removal and helpdesk triage.
- Prepare IR procedures for mobile incidents, including device isolation decisions, app/package evidence preservation, and review of network activity and app inventory changes.
Analyst notes and limits
This take is based on the supplied ATT&CK software object for Android/AdDisplay.Ashas and its relationships to mobile ATT&CK techniques. The strongest defensive value is in validating Android fleet visibility and mobile app behavior coverage, not in inferring campaign scope or business impact beyond the official description.
MITRE provides no official detection text, no tactics for this object, no aliases, and only Android as the platform. The official description only states that this is an adware variant distributed through multiple Google Play Store apps. Local environment telemetry, app inventory, device ownership model, and mobile security tooling determine actual exposure and detection feasibility.
Android/AdDisplay.Ashas
Android/AdDisplay.Ashas is a variant of adware that has been distributed through multiple apps in the Google Play Store. [1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1643 | Generate Traffic from Victim | Android/AdDisplay.Ashas can generate revenue by automatically displaying ads.CitationWeLiveSecurity AdDisplayAshas |
| Mobile | T1633.001 | System Checks Sub-technique | Android/AdDisplay.Ashas can check that the device IP is not in the range of known Google IP addresses before triggering the payload and can delay payload deployment to avoid detection during testing and avoid association with unwanted ads.CitationWeLiveSecurity AdDisplayAshas |
| Mobile | T1426 | System Information Discovery | Android/AdDisplay.Ashas can collect information about the device including device type, OS version, language, free storage space, battery status, device root, and if *developer mode* is enabled.CitationWeLiveSecurity AdDisplayAshas |
| Mobile | T1628.001 | Suppress Application Icon Sub-technique | Android/AdDisplay.Ashas can hide its icon and create a shortcut based on the C2 server response.CitationWeLiveSecurity AdDisplayAshas |
| Mobile | T1437.001 | Web Protocols Sub-technique | Android/AdDisplay.Ashas has communicated with the C2 server using HTTP.CitationWeLiveSecurity AdDisplayAshas |
| Mobile | T1655.001 | Match Legitimate Name or Location Sub-technique | Android/AdDisplay.Ashas has mimicked Facebook and Google icons on the “Recent apps” screen to avoid discovery and uses the `com.google.xxx` package name to avoid detection.CitationWeLiveSecurity AdDisplayAshas |
| Mobile | T1418 | Software Discovery | Android/AdDisplay.Ashas has checked to see how many apps are installed, and specifically if Facebook or FB Messenger are installed.CitationWeLiveSecurity AdDisplayAshas |
| Mobile | T1406 | Obfuscated Files or Information | Android/AdDisplay.Ashas has hidden the C2 server address using base-64 encoding. CitationWeLiveSecurity AdDisplayAshas |
| Mobile | T1624.001 | Broadcast Receivers Sub-technique | Android/AdDisplay.Ashas has registered to receive the `BOOT_COMPLETED` broadcast intent to activate on device startup.CitationWeLiveSecurity AdDisplayAshas |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | b30acd763c3b… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
WeLiveSecurity AdDisplayAshas
L. Stefanko. (2019, October 24). Tracking down the developer of Android adware affecting millions of users. Retrieved October 29, 2020.
Open source URL -
[2]
mitre-attack S0525Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.